We're seeking a Senior Application Security Engineer who comes from a genuine software engineering background - someone who has designed, written, shipped, and maintained production code and then moved into security (or wants to formalize that move). You'll join the CISO organization as the security backbone of our R&D engine: owning the Secure SDLC end-to-end, embedding security into every stage of development, and partnering with R&D, DevOps, Architecture, and Product so that every line of code and every feature we ship - including our AI capabilities - meets the highest security standards.
This is a high-impact, hands-on role reporting directly to the CISO, with a clear growth path to AppSec Lead and exposure to GRC, cloud, and AI security.
What Youll Do
Secure SDLC & Application Security
Own and continuously evolve Secure SDLC (SSDLC), integrating security gates from design to deployment.
Lead threat modeling (STRIDE / PASTA / attack trees) for new features, architectural changes, and AI components.
Perform and oversee secure code reviews, design reviews, and security architecture reviews - and pair directly with developers on remediation, reference fixes, and reusable secure patterns / "paved-road" libraries.
Manage and operate the SAST, DAST, IAST, SCA, and secret-scanning stack; tune rules, triage findings, drive remediation, and reduce noise.
Define and enforce AppSec policies, secure-coding guidelines, and standards aligned with OWASP Top 10, ASVS, and SAMM.
Software supply-chain security: SBOM generation/analysis, open-source component risk, and dependency hygiene across R&D.
Requirements: Strong, hands-on software engineering background - 5+ years building and shipping production software in a team (e.g., Java, JavaScript/TypeScript, Python, Node, React, etc.). You've designed, written, reviewed, debugged, and maintained real systems and understand engineering trade-offs and processes - not solely AI-assisted/low-code generation. This depth is what makes your security guidance credible to developers.
Bachelor's degree in Computer Science, Information Security, or related field (or equivalent experience)
2+ years focused on application/product security, or a clear, demonstrated transition from engineering into AppSec.
Experience in Secure SDLC implementation across modern CI/CD environments (GitHub/GitLab, Jenkins, ArgoCD, etc.).
Hands-on with SAST, DAST, SCA, and secret-scanning tools (e.g., Checkmarx, Snyk, SonarQube, Semgrep, Trivy; Burp/ZAP a plus).
Working knowledge of OWASP Top 10, ASVS, SAMM, CWE/SANS Top 25, and threat modeling (STRIDE/PASTA).
Secure API development (REST/GraphQL) and cloud security fundamentals (AWS preferred; IAM, containers/Kubernetes, IaC/Terraform).
This position is open to all candidates.