Mid Application Security Engineer

RESPONSIBILITIES

- Perform application security assessments including manual code review, SAST, DAST, SCA, and targeted penetration testing.

- Lead threat modeling sessions for new features, architectural changes, and AI/LLM-backed workflows with customer product and engineering teams.

- Integrate security tooling (Semgrep, Snyk, CodeQL, GitHub Advanced Security, Burp Suite) into CI/CD pipelines (GitHub Actions, GitLab CI, Jenkins) with minimal developer friction.

- Triage, track, and drive remediation of findings across web, mobile, and API surfaces with developer-friendly workflows and SLAs.

- Design and maintain secure coding standards, authentication and authorization patterns (OAuth 2.0, SAML, JWT), and training materials for customer development teams.

- Evaluate third-party libraries, vendor integrations, and open-source dependencies for supply chain and security risk.

- Support incident response activities and contribute to post-incident analysis with a focus on application-layer root cause.

- Write and maintain documentation, runbooks, and architecture decision records (ADRs) for AppSec tooling, coding standards, and remediation playbooks.

QUALIFICATIONS

- 3 to 5 years of experience in application security, penetration testing, or secure software development.

- Strong knowledge of OWASP Top 10, CWE, and common web and API vulnerability classes.

- Hands-on experience with at least two of the following: SAST, DAST, SCA, or IAST tools in real CI/CD environments.

- Proficiency in one or more programming languages (Python, Go, JavaScript/TypeScript, or Java) for automation, tooling, and integration work.

- Familiarity with modern development workflows including Git, CI/CD pipelines, and containerized environments.

- Solid understanding of authentication and authorization frameworks (OAuth 2.0, SAML, JWT).

- Excellent communication skills with the ability to translate security findings into actionable engineering tasks.

- Must be located in the SF Bay Area or willing to travel to our San Francisco office on a regular cadence.

NICE TO HAVE

- Relevant certifications such as OSCP, GWAPT, CEH, or CSSLP.

- Experience with bug bounty programs or responsible disclosure processes.

- Familiarity with cloud-native security (AWS, GCP, or Azure) and cloud-native workload protection.

- Prior contributions to open-source security tooling.