Application Security Engineer

Summary

Join One as an Application Security Engineer and contribute to delivering secure and reliable applications at scale, partnering with engineers to build security into products from the ground up.

Requirements

• 4+ years of experience in security engineering, DevSecOps, and application development
• Excellent knowledge of the CVSS, MITRE ATT&CK, and OWASP Top 10
• Proficiency in TypeScript
• Practical understanding of AWS and its core services (VPC, EC2, RDS)
• Demonstrated experience in modern application architecture and deployment practices
• Experience with Library/API/Framework development
• Experience with integrating security scanning tools with CI/CD, Web Application pentesting, fuzzing and DAST
• Expertise in verifying and measuring common security vulnerabilities, and demonstrated ability to communicate these concepts to technical and non-technical partners
• Exposure to most of the following technologies: AWS, iOS, Android, Vault, Kubernetes, PKI, React, GraphQL, and Datadog
• Knowledge of cryptography including algorithms, standards, and their practical applications such as x.509 certificates
• Experience defining security architecture patterns and standards
• Proficiency in modern security evaluation tooling (Burp, Wireshark, Kali et al.)

Responsibilities

• Ensuring the quality and security of our applications and products by guiding their development through the Secure Development Lifecycle (SDLC) process
• Performing SAST/DAST and penetration testing on core application services, web applications, and mobile applications
• Developing, maintaining, and extending our in-house application security and penetration testing automated testing framework
• Developing safe libraries and hardening existing libraries and frameworks to eliminate classes of vulnerabilities
• Ensuring SDLC practices are enforced via Infrastructure-As-Code (IaC) policies, wherever possible
• Working closely with Engineering teams to validate the security posture of new features prior to production deployment
• Triaging and validating security vulnerabilities found or reported, and serving as a subject-matter expert in AppSec to the Engineering team in identifying and implementing mitigation solutions
• Refactoring and deploying secure libraries and frameworks across the code repository
• Training engineers, architects, code reviewers, and others on secure coding practices
• Contributing to application threat models
• Constantly maintaining awareness of known vulnerabilities in application technologies used within One
• Working with the Security and other engineering teams to maintain a security architecture that provides security controls throughout all platforms to mitigate risk, and to meet goals and regulatory requirements
• Providing expertise around code-level security concerns during product development

Benefits

• Competitive cash
• Benefits effective on day one
• Early access to a high potential, high growth fintech
• Generous stock option packages in an early-stage startup
• Remote friendly (anywhere in the US) and office friendly - you pick the schedule
• Flexible time off programs - vacation, sick, paid parental leave, and paid caregiver leave
• 401(k) plan with match