We are seeking a mid-level Application Security Engineer who will own the design, deployment, and operationalization of customer application security programs across diverse product stacks. Working closely with customer product, engineering, and security peers, you will lead threat modeling and code review, embed SAST, DAST, and SCA into CI/CD pipelines, drive remediation across web, mobile, and API surfaces, and build the secure development practices that engineering teams actually adopt. This position is based in our SF office on a hybrid schedule; candidates outside the Bay Area who are willing to travel regularly are also encouraged to apply.

RESPONSIBILITIES

• Perform application security assessments including manual code review, SAST, DAST, SCA, and targeted penetration testing.

• Lead threat modeling sessions for new features, architectural changes, and AI/LLM-backed workflows with customer product and engineering teams.

• Integrate security tooling (Semgrep, Snyk, CodeQL, GitHub Advanced Security, Burp Suite) into CI/CD pipelines (GitHub Actions, GitLab CI, Jenkins) with minimal developer friction.

• Triage, track, and drive remediation of findings across web, mobile, and API surfaces with developer-friendly workflows and SLAs.

• Design and maintain secure coding standards, authentication and authorization patterns (OAuth 2.0, SAML, JWT), and training materials for customer development teams.

• Evaluate third-party libraries, vendor integrations, and open-source dependencies for supply chain and security risk.

• Support incident response activities and contribute to post-incident analysis with a focus on application-layer root cause.

• Write and maintain documentation, runbooks, and architecture decision records (ADRs) for AppSec tooling, coding standards, and remediation playbooks.

QUALIFICATIONS

• 3 to 5 years of experience in application security, penetration testing, or secure software development.

• Strong knowledge of OWASP Top 10, CWE, and common web and API vulnerability classes.

• Hands-on experience with at least two of the following: SAST, DAST, SCA, or IAST tools in real CI/CD environments.

• Proficiency in one or more programming languages (Python, Go, JavaScript/TypeScript, or Java) for automation, tooling, and integration work.

• Familiarity with modern development workflows including Git, CI/CD pipelines, and containerized environments.

• Solid understanding of authentication and authorization frameworks (OAuth 2.0, SAML, JWT).

• Excellent communication skills with the ability to translate security findings into actionable engineering tasks.

• Must be located in the SF Bay Area or willing to travel to our San Francisco office on a regular cadence. NICE TO HAVE

• Relevant certifications such as OSCP, GWAPT, CEH, or CSSLP.

• Experience with bug bounty programs or responsible disclosure processes.

• Familiarity with cloud-native security (AWS, GCP, or Azure) and cloud-native workload protection.

• Prior contributions to open-source security tooling.