Basic FunctionThe Senior Application Security Engineer is a hands-on technical leader responsible for securing Lumin Digital's B2B2C SaaS platform across the full software development lifecycle. This role exists at the intersection of application security and AI-augmented engineering: the ideal candidate actively uses AI-powered tools such as Claude Code and Claude Security in their daily workflow to find vulnerabilities faster, automate remediation, and scale security coverage beyond what traditional approaches allow. As AI rapidly transforms how code is written, reviewed, and deployed, this engineer will lead the effort to secure AI-integrated applications, harden CI/CD pipelines, and establish governance for responsible AI adoption across product and engineering teams. Success in this role requires deep technical fluency, a bias toward building and doing over advising, and the ability to operate independently in a fast-moving, remote-first environment.
Essential Functions and Responsibilities:- Lead security architecture reviews for new and existing applications, ensuring secure-by-design principles are embedded from initial design through deployment and ongoing operation.
>- Develop, enforce, and continuously refine secure coding standards across engineering teams through a combination of automated security scans (SAST, DAST, SCA), AI-assisted code review using tools such as Claude Code, periodic manual code audits, and targeted secure development training.
>- Own the design, implementation, and evolution of Application Security Posture Management (ASPM) capabilities, integrating signals from static analysis, dynamic testing, software composition analysis, and runtime telemetry to build risk-scoring models that balance exploitability, data sensitivity, and business impact.
>- Continuously improve threat modeling frameworks across application components, third-party integrations, cloud-native architectures, and AI/LLM-powered features, leveraging tools such as Claude Security for accelerated threat model generation and scenario analysis.
>- Develop custom security automation tools and scripts to improve detection and response capabilities across cloud environments, including AI-assisted vulnerability auto-fix workflows and integration of AI-powered security tooling into CI/CD pipelines.
>- Own and operate the company's bug bounty program end-to-end: define program strategy and scope, triage and validate external researcher submissions, assess severity, and maintain productive engagement with the security research community.
>- Manage vulnerability triage and prioritization processes, ensuring vulnerabilities are assessed based on exploitability, business impact, and compliance requirements, and that remediation timelines align with organizational risk tolerance.
>- Influence product roadmaps by identifying and advocating for security enhancements aligned with evolving regulatory requirements, industry best practices, and the emerging threat landscape for AI-integrated applications.
>- Mentor security engineers and developers through hands-on guidance in secure coding, vulnerability remediation, and effective use of AI-augmented security workflows.
>- Present security findings, risk assessments, and program metrics to senior leadership, clients, auditors, and regulators in a clear, actionable manner.
>- Perform other duties as assigned.
>
Physical Demands:- While performing the duties of this job, the employee is regularly required to sit; use hands to type, handle, or feel and talk or hear.
>- Specific vision abilities required by this job include close vision.
>- Ability to occasionally lift/move up to 25 pounds.
>- Individuals with a disability who are otherwise able to perform the essential functions of the job may request reasonable accommodation through the Human Resources department.
>
Supervisory Responsibility:None
Position SpecificationsEducation:- Bachelor's in Computer Science, Cybersecurity, Information Assurance, Software Engineering, or a related field, or an equivalent combination of education and experience.
>- Preferred certifications: CSSLP, OSCP, GWEB, or GWAPT.
>
Experience:- Seven (7+) years of progressive experience in application security, software security engineering, or a closely related domain within production SaaS environments.
>- Extensive hands-on experience in secure software development, DevSecOps pipeline design, and security testing methodologies (SAST, DAST, SCA, penetration testing).
>- Demonstrated experience securing large-scale cloud-native applications, APIs, and microservices architectures.
>- Experience leading application security initiatives, defining program strategy, and mentoring engineering teams on secure development practices.
>- Demonstrated, regular hands-on use of AI-powered security and development tools (e.g., Claude Code, Claude Security, or comparable coding/security assistants) as part of daily security engineering workflows, not solely in an evaluative, advisory, or training capacity.
>- Experience assessing AI-specific attack surfaces in LLM-integrated applications, including prompt injection, context leakage, insecure tool use, and model denial-of-service.
>
Knowledge, Skills, & Abilities:Required:
- Deep expertise in AWS security, Kubernetes security, and cloud-native application security best practices.
>- Strong programming proficiency with the ability to review and assess security risks in one or more of: Java, C#, JavaScript/TypeScript, Python, Swift, or Kotlin.
>- Expertise in secure authentication and authorization mechanisms, including OAuth 2.0, OIDC, SAML, JWT, WebAuthn, and Zero Trust principles.
>- Hands-on proficiency with AI-augmented security workflows, including daily use of AI tools (e.g., Claude Code, Claude Security) for vulnerability discovery, remediation assistance, threat modeling, and security automation across the SDLC.
>- Strong understanding of OWASP Top 10, OWASP Top 10 for LLM Applications, SANS 25, CVSS/EPSS scoring, and MITRE ATT&CK framework.
>- Ability to identify, assess, and mitigate prompt injection vulnerabilities (direct and indirect) in LLM-integrated applications through input validation, output sanitization, instruction hierarchy enforcement, and adversarial prompt testing.
>- Experience with secure context window management in AI-powered products, including preventing sensitive data leakage, enforcing context isolation boundaries, and defining data classification policies for AI model inputs.
>- Hands-on experience with security automation and scripting (Python, Bash, or equivalent).
>- Proficiency in penetration testing methodologies, including automated and manual security testing of web applications, APIs, and mobile platforms.
>- Strong knowledge of encryption standards, cryptographic best practices, and secrets management.
>- Ability to communicate complex security concepts to both technical and non-technical audiences, and to present risk assessments to senior leadership and external stakeholders.
>- Demonstrated ability to work independently in a remote setting while maintaining high performance and accountability.
>
Preferred:
- Experience evaluating the security posture of AI providers (API security reviews, data residency assessments, vendor risk questionnaires, and contractual security requirements).
>- Familiarity with AI model access controls and secrets hygiene in AI pipelines, including least-privilege principles for LLM tool integrations and securing model inference endpoints.
>- Experience with SIEM, WAF, and security monitoring tools.
>- Familiarity with cloud security controls in AWS, including IAM, security groups, KMS, Lambda security, and cloud monitoring.
>- Strong project management abilities and experience collaborating across product, engineering, and compliance teams.
>
Travel:- Minimal, generally 12 days or less per year, ~2X team get-togethers a year.
>
$155,000 - $175,000 a year
