Were looking for a Staff Application Security Engineer to join our IT and Security team. This role is ideal for a hands-on security professional who is passionate about working closely with engineering teams to design secure software, fix vulnerabilities, and promote a culture of security across the organization.
Youll be responsible for shaping and owning our Secure Software Development Lifecycle (SSDLC), managing security tooling, and leading the assessment of application and API security across our products and services.
Here are a few of the things you will do:
Collaborate directly with engineering teams to define remediation strategies, track implementation, and validate security fixes across the application stack.
Design, implement, and drive SSDLC practices across the company-from security design reviews and threat modeling to proactive triaging in production.
Conduct threat modeling, architecture reviews, and security assessments of cloud-based applications and services, including those leveraging emerging technologies.
Manage our bug bounty program, validating reports and coordinating response and resolution.
Own and operate our suite of AppSec tools including SAST, ASPM, and other security scanners-triaging findings, prioritizing issues, and guiding engineering toward resolution.
Review source code and applications to identify vulnerabilities and collaborate with dev teams on remediation.
Act as the point of contact for findings from penetration tests, automated scanners, and external assessments, helping manage triage and ensure timely fixes.
Continuously research and stay current with application security trends, frameworks, vulnerabilities, and best practices.
Promote a strong security culture across by educating and enabling engineers, architects, and DevOps teams to build secure software from the ground up.
Youll be responsible for shaping and owning our Secure Software Development Lifecycle (SSDLC), managing security tooling, and leading the assessment of application and API security across our products and services.
Here are a few of the things you will do:
Collaborate directly with engineering teams to define remediation strategies, track implementation, and validate security fixes across the application stack.
Design, implement, and drive SSDLC practices across the company-from security design reviews and threat modeling to proactive triaging in production.
Conduct threat modeling, architecture reviews, and security assessments of cloud-based applications and services, including those leveraging emerging technologies.
Manage our bug bounty program, validating reports and coordinating response and resolution.
Own and operate our suite of AppSec tools including SAST, ASPM, and other security scanners-triaging findings, prioritizing issues, and guiding engineering toward resolution.
Review source code and applications to identify vulnerabilities and collaborate with dev teams on remediation.
Act as the point of contact for findings from penetration tests, automated scanners, and external assessments, helping manage triage and ensure timely fixes.
Continuously research and stay current with application security trends, frameworks, vulnerabilities, and best practices.
Promote a strong security culture across by educating and enabling engineers, architects, and DevOps teams to build secure software from the ground up.
Requirements:
Interested? Here's what we're looking for:
5+ years of experience in Application Security, Product Security, or Secure Software Development.
Proven experience working with modern web application stacks, cloud-native architectures, APIs, and CI/CD pipelines.
Strong understanding of application security principles, common vulnerabilities (OWASP Top 10), and secure coding best practices.
Experience with security tools like Burp Suite, Oligo, VeraCode, SonarQube, or similar (SAST/DAST/IAST/API tools).
Hands-on experience with code review and static analysis for security issues across languages like JavaScript, Python, Go, or similar.
Familiarity with cloud platforms (AWS preferred) and infrastructure-as-code security.
Experience managing bug bounty programs and third-party testing engagements.
Excellent communication skills-able to translate security concepts into developer-friendly language and work cross-functionally across teams.
Ability to balance pragmatic risk mitigation with product velocity, business needs, and user experience.
A growth mindset and a desire to mentor others and continuously improve HoneyBooks security posture.
Certifications like OSCP, GWAPT, CISSP, or CSSLP are a plus but not required.
Interested? Here's what we're looking for:
5+ years of experience in Application Security, Product Security, or Secure Software Development.
Proven experience working with modern web application stacks, cloud-native architectures, APIs, and CI/CD pipelines.
Strong understanding of application security principles, common vulnerabilities (OWASP Top 10), and secure coding best practices.
Experience with security tools like Burp Suite, Oligo, VeraCode, SonarQube, or similar (SAST/DAST/IAST/API tools).
Hands-on experience with code review and static analysis for security issues across languages like JavaScript, Python, Go, or similar.
Familiarity with cloud platforms (AWS preferred) and infrastructure-as-code security.
Experience managing bug bounty programs and third-party testing engagements.
Excellent communication skills-able to translate security concepts into developer-friendly language and work cross-functionally across teams.
Ability to balance pragmatic risk mitigation with product velocity, business needs, and user experience.
A growth mindset and a desire to mentor others and continuously improve HoneyBooks security posture.
Certifications like OSCP, GWAPT, CISSP, or CSSLP are a plus but not required.
This position is open to all candidates.
