Senior Application Security Engineer

Key Responsibilities

Security Architecture & Design Reviews

• Lead security reviews for application architecture and system design
• Evaluate designs for:
• Authentication & authorization models
• Data access patterns
• API exposure and trust boundaries
• Provide clear, actionable guidance to engineering teams
• Identify risks early and influence secure design decisions

Go-Live Security Reviews & Risk Decisions

• Conduct pre-production / go-live security assessments
• Determine whether a feature is safe to launch and what risks must be mitigated vs accepted
• Partner with engineering and product to prioritize fixes and define compensating controls
• Act as a security approver / advisor for production releases

Authentication, Authorization & Access Control

• Design and assess:
• OAuth2, OIDC, SAML implementations
• RBAC / fine-grained authorization models
• Identify and remediate broken access control and privilege escalation paths
• Drive adoption of least privilege and secure access patterns

API Security

• Lead security reviews of REST, GraphQL, and event-driven APIs
• Identify risks such as:
• Broken Object Level Authorization (BOLA)
• Injection vulnerabilities
• Data leakage
• Define standards for:
• API authentication
• Input validation
• Rate limiting and abuse protection

AI & Emerging Technology Security

• Assess security risks in AI-powered features and systems
• Evaluate threats such as:
• Prompt injection
• Data leakage via LLMs
• Model misuse and access control gaps
• Help define and implement AI security guardrails
• Review architectures involving MCP (Model Context Protocol) or similar AI integration patterns

Vulnerability Management & Testing

• Lead vulnerability identification using Static analysis (SAST) and Dependency scanning (SCA)
• Validate findings and eliminate false positives
• Prioritize vulnerabilities based on exploitability and business impact
• Drive remediation with engineering teams

Attack Surface & Risk Assessment

• Assess and map application attack surface
• Identify exposed services, endpoints, and integrations
• Evaluate third-party and supply chain risks
• Continuously improve visibility into application risk

Security Tooling & DevSecOps

• Integrate and optimize security tools in CI/CD pipelines
• Define security gates for builds and releases
• Automate security checks where possible
• Improve developer experience with secure defaults

Required Skills

6+ years of experience in Application Security, Security Engineering, or Software Engineering with a strong security focus

Proven experience performing security architecture/design reviews, as well as Go-live/production readiness security assessments, with experience with cloud platforms (AWS, GCP, Azure) preferred

Strong understanding of OWASP Top 10 and modern web vulnerabilities and secure system design and threat modeling

Experience with SAST tools (e.g., SonarQube, Checkmarx) and SCA tools (e.g., Snyk, Dependabot)

Ability to assess real-world risk and prioritize effectively in a SaaS environment

Understanding of LLM risks (prompt injection, data leakage) and AI system architecture

Exposure to securing AI features or platforms

Familiarity with MCP or similar AI integration patterns

Deep Expertise in the following:

• Authentication & Authorization
  • OAuth2, OIDC, SAML
  • RBAC / ABAC / least privilege models
  • API Security
    • REST / GraphQL
    • Common API attack vectors (BOLA, injection, data exposure)
    • Application Security
      • Secure coding practices
      • Input validation, output encoding, session management