About the Role:Our engineering organization is growing, and with that growth comes an expanding application and infrastructure footprint that requires dedicated application security ownership. This role exists to build that function from the ground up.
As our first dedicated Staff Application Security Engineer, you will own the design and implementation of our application security program, from SAST and DAST tooling to secure SDLC practices, threat modeling, dependency security, and penetration testing coordination. You will work directly with engineering teams across a cloud-based environment securing both customer-facing products and internal systems.
You will be reporting directly to the Head of Security and will have the autonomy and organizational support to build an application security program that is practical, scalable, and aligned to the risk profile of a company operating in the digital asset space.
Primary Responsibilities:- Static & Dynamic Application Security Testing (SAST / DAST)
- Own the full implementation of SAST tooling across all codebases and CI/CD pipelines
- Own the full implementation of DAST tooling across all customer-facing and internal applications
- Establish baseline findings, prioritize remediation, and work directly with engineering to resolve issues
- Maintain and tune tooling over time as the codebase and attack surface evolve
- Secure SDLC & Code Integrity
- Define and enforce a secure software development lifecycle across engineering teams
- Establish secure release processes including code signing and build integrity verification
- Develop and maintain security standards, guidelines, and secure coding practices
- Integrate security checkpoints throughout the development pipeline without creating unnecessary friction for engineering
- Threat Modeling
- Lead threat modeling exercises for new infrastructure designs, features, and system changes
- Ensure all customer-facing and internal applications are fully documented and threat modeled
- Maintain a living inventory of the company's attack surface and ensure it reflects current architecture
- Dependency & Supply Chain Security
- Implement and manage dependency scanning across all projects
- Enforce version pinning policies to reduce exposure from uncontrolled dependency updates
- Deploy and manage supply chain security tooling (e.g., Socket.dev or equivalent) to monitor for malicious or compromised dependencies
- Establish a process for ongoing dependency review and remediation
- Penetration Testing
- Define and maintain a penetration testing program covering all surface areas - applications, APIs, internal tooling, and infrastructure
- Scope, schedule, and manage third-party penetration testing engagements
- Track findings through to remediation and validate fixes
- Secrets Management
- Design and implement a secrets management program across cloud infrastructure and engineering workflows
- Eliminate hardcoded credentials and secrets from codebases
- Establish policies and tooling for secrets rotation, access control, and audit logging
- Fuzzing & Attack Surface Coverage
- Implement fuzz testing across applicable components, particularly APIs and input-handling logic
- Ensure coverage gaps in the attack surface are identified, documented, and addressed systematically
Role Requirements:- 7+ years of experience in application security or a closely related discipline
- Demonstrated experience building or significantly maturing an application security program
- Deep hands-on experience with SAST and DAST tooling implementation and management
- Strong knowledge of secure SDLC practices and CI/CD pipeline security integration
- Experience with dependency scanning and software supply chain security
- Proficiency in threat modeling methodologies (STRIDE, PASTA, or equivalent)
- Experience managing or coordinating third-party penetration testing engagements
- Solid understanding of secrets management solutions (e.g., HashiCorp Vault, AWS Secrets Manager, or equivalent)
- Strong written and verbal communication skills - able to document findings and present risk clearly to both technical and non-technical audiences
What We Offer: - Compensation: $185,000 to $260,000 + Equity
- Equity compensation as a component of all offers
- Health insurance, including dental and vision plans
- Health, Dependent Care and Commuter Flexible Spending Accounts
- Paid Parental Leave
- Life insurance; short- and long-term disability plans
- Company-funded 401(k) plan, no matching required
- Unlimited PTO
- 10 paid company-wide holidays
- Company-wide winter break for most roles
- Office spaces in San Francisco, New York, and London
- Meals and snacks provided in office
- Paid company cell phone or stipend
- Bitwise "Buddy" Program (30-day new-hire success program)
- Annual anniversary gifts
- Company-wide events including annual holiday party
- Internal Women of Bitwise (WOB) group with fun events
Your Interview Process: Our interview process ensures the best fit for both you and Bitwise, and we strive to make each step valuable, insightful, and efficient.
- Recruiter Interview
- Hiring Manager Interview
- Work Sample
- Meeting the Team
- Executive/Founders Interview
- References
- Offer!
The pay range for this role is:
185,000 - 260,000 USD per year (Remote)
185,000 - 260,000 USD per year (NYC Office)
185,000 - 260,000 USD per year (SF Office)
185,000 - 260,000 USD per year (London Office)
