Senior Application Security Engineer

Security Architecture & Design Reviews 

• Lead security reviews for application architecture and system design 
• Evaluate designs for: 
• Authentication & authorization models 
• Data access patterns 
• API exposure and trust boundaries 
• Provide clear, actionable guidance to engineering teams 
• Identify risks early and influence secure design decisions 

Go-Live Security Reviews & Risk Decisions 

• Conduct pre-production / go-live security assessments 
• Determine whether a feature is safe to launch and what risks must be mitigated vs accepted 
• Partner with engineering and product to prioritize fixes and define compensating controls 
• Act as a security approver / advisor for production releases 

Authentication, Authorization & Access Control 

• Design and assess: 
• OAuth2, OIDC, SAML implementations 
• RBAC / fine-grained authorization models 
• Identify and remediate broken access control and privilege escalation paths 
• Drive adoption of least privilege and secure access patterns 

API Security 

• Lead security reviews of REST, GraphQL, and event-driven APIs 
• Identify risks such as: 
• Broken Object Level Authorization (BOLA) 
• Injection vulnerabilities 
• Data leakage 
• Define standards for: 
• API authentication 
• Input validation 
• Rate limiting and abuse protection 

 AI & Emerging Technology Security 

• Assess security risks in AI-powered features and systems 
• Evaluate threats such as: 
• Prompt injection 
• Data leakage via LLMs 
• Model misuse and access control gaps 
• Help define and implement AI security guardrails 
• Review architectures involving MCP (Model Context Protocol) or similar AI integration patterns 

  Vulnerability Management & Testing 

• Lead vulnerability identification using Static analysis (SAST)  and Dependency scanning (SCA) 
• Validate findings and eliminate false positives 
• Prioritize vulnerabilities based on exploitability and business impact 
• Drive remediation with engineering teams 

 Attack Surface & Risk Assessment 

• Assess and map application attack surface 
• Identify exposed services, endpoints, and integrations 
• Evaluate third-party and supply chain risks 
• Continuously improve visibility into application risk 

 Security Tooling & DevSecOps 

• Integrate and optimize security tools in CI/CD pipelines 
• Define security gates for builds and releases 
• Automate security checks where possible 
• Improve developer experience with secure defaults 

• 10+ years of experience in Application Security, Security Engineering, or Software Engineering with a strong security focus
• Proven experience performing security architecture/design reviews, as well as Go-live/production readiness security assessments, with experience with cloud platforms (AWS, GCP, Azure) preferred
• Strong understanding of OWASP Top 10 and modern web vulnerabilities and secure system design and threat modeling 
• Experience with SAST tools (e.g., SonarQube, Checkmarx)  and SCA tools (e.g., Snyk, Dependabot) 
• Ability to assess real-world risk and prioritize effectively in a SaaS environment 
• Understanding of LLM risks (prompt injection, data leakage) and AI system architecture 
• Exposure to securing AI features or platforms
• Familiarity with MCP or similar AI integration patterns
• Deep Expertise in the following:
• Authentication & Authorization
• OAuth2, OIDC, SAML
• RBAC / ABAC / least privilege models
• API Security
• REST / GraphQL
• Common API attack vectors (BOLA, injection, data exposure)
• Application Security
• Secure coding practices
• Input validation, output encoding, session management