Senior Application Security Engineer

About This Role

We're looking for a Senior Application Security Engineer to join our Security team and drive hands-on security improvements directly within our codebase. In this role, you'll actively remediate security vulnerabilities identified through penetration tests, CVEs, and automated security scanning tools. Collaborating closely with engineers, designers, and product managers, you'll integrate secure coding practices throughout our software development lifecycle, ensuring robust, secure, and scalable customer-facing features. This role is perfect for someone who enjoys solving security challenges through coding, refactoring legacy code to eliminate vulnerabilities, and partnering cross-functionally to embed security into fast-paced development workflows.

Responsibilities

• Full ownership of security including writing code (75%) in our core applications (Rails, React, Python)
• Address and remediate penetration test findings by writing secure, maintainable code fixes
• Identify, analyze, and promptly resolve CVEs impacting our codebase and infrastructure by writing PRs
• Investigate, prioritize, and fix findings identified by GitHub Advanced Security
• Own, develop, and facilitate Secure Code Training initiatives to enhance developer security awareness and coding practices
• Integrate security considerations directly into the software development lifecycle (SDLC), working collaboratively with engineering squads on application design and architecture
• Implement rate limiting and related safeguards within applications to prevent abuse and improve platform resilience
• Author, review, and integrate security-focused tests into automated testing suites to proactively detect vulnerabilities and regressions
• Develop and enhance application security logging, monitoring, and alerting capabilities to rapidly identify and respond to threats
• Implement and maintain automated security scanning within CI/CD pipelines, ensuring vulnerabilities are identified and addressed early
• Refactor and harden legacy codebases, proactively addressing insecure patterns to mitigate future risks and reduce technical debt
• Build and maintain security-focused tooling, automation, and CI/CD integrations to enable secure-by-default development
• Participate in an on-call rotation, including handling security-related escalations

Technologies and tools we use:

• Frontend: React, TypeScript, AntD, Jest + React Testing Library
• Backend: Ruby, Rails, Node, Postgres, Redis, Sidekiq Pro, RSpec
• Fundamentals: Shell, SQL, config file and environment configuration
• Workflow and Deployment: Github, AWS, DataDog, Jira, Confluence, Sentry, Code Climate, Pagerduty Slack, Fellow

Preferred Qualifications

• 5+ years of experience working on or closely with engineering teams to secure customer-facing applications
• 4+ years experience securing (writing code) full-stack applications using modern JavaScript frameworks (React, TypeScript, NextJS) and backend technologies (Rails/Ruby preferred)
• 3+ years experience building or reviewing authentication, authorization, and session management flows
• 2+ years experience working in cloud-native environments (AWS preferred) with knowledge of container and service mesh security (e.g., Kubernetes, Istio)
• Familiarity with secure coding practices, static and dynamic analysis (e.g., Github Advanced Security, Semgrep, Snyk)
• Strong understanding of web application vulnerabilities (e.g., OWASP Top 10), threat modeling, and secure design principles
• Experience conducting security code reviews and participating in SDLC security checkpoints

Bonus Qualifications

• Experience establishing security controls and processes in fast-paced environments.
• Experience with incident response, security alert triage, or on-call rotations
• Hands-on experience with observability and alerting tools (e.g., Datadog, PagerDuty)