Senior Application Security Engineer

Locations Supported 🌍

• US

• Canada (Toronto)

• Mexico
  
  

Relocation available:No

Work pattern:

• This role will be remote.
  
  
  

 

 

About the Opportunity

👉 Write a clear, high-level overview of the role, outlining its purpose, scope, and impact on the team and wider organisation.

Our SRE/Cloud Security teams are a dynamic blend of proactive defenders and inquisitive problem-solvers. We are dedicated to strengthening our systems through rigorous security reviews and hands-on penetration testing, and we actively manage our Bug Bounty program to ensure timely validation, response, and remediation. 

We leverage cutting-edge tools and techniques to build robust defenses, and collaboration is central to how we work; embedding security best practices throughout the SDLC. We continuously research emerging threats, develop effective mitigation strategies, and empower engineering teams through clear guidance and practical security training. 

We maintain up-to-date security standards and documentation, lead incident response efforts with precision, and are passionate about spreading a secure-by-design culture while contributing to the wider security community. 

 

 

What You Will Do

👉 A concise and detailed breakdown of core responsibilities, day-to-day expectations, and key deliverables. Use 5–10 bullets max. 

• Conduct threat modelling reviews of Technical Design Documents (TDDs) for new and existing features, providing clear, actionable security recommendations early in the design process. 

• Perform and support application security assessments, including penetration testing, vulnerability assessments, and proof-of-concept (PoC) development where appropriate. 

• Investigate, triage, and respond to Bug Bounty program submissions, validating findings and working with engineering teams to drive timely remediation. 

• Own and continuously improve application-layer protections, including managing and tuning Cloudflare WAF and related security controls.

• Partner closely with engineering teams to embed security best practices throughout the SDLC, from design and development through deployment and maintenance. 

• Research and track emerging threats and vulnerabilities, translating findings into practical mitigation strategies relevant to our technology stack. 

• Develop and deliver security guidance, training, and awareness for engineering teams to raise the overall security maturity of the organization.

• Contribute to the creation, maintenance, and evolution of security standards, processes, and documentation.

• Participate in and eventually lead incident response activities, supporting investigation, containment, remediation, and post-incident improvements. 

 

 

About You

👉 Describe the ideal candidate’s qualifications, skills, experience, and behaviours that show strong culture alignment.

Must-have experience and skills

• You have developed a breadth of experience across multiple security domains, including web and mobile application security, infrastructure and cloud security, and can connect these areas to drive a holistic security approach. 

• You have hands-on experience performing white-box, source code-assisted web and mobile application penetration testing, from vulnerability discovery through triage and exploitation. 

• You have the ability to read, understand, and review source code to identify security issues, with ideally, a particular focus on JavaScript and TypeScript codebases.

• You have a strong understanding of Threat Modelling principles and their practical application to the secure software development lifecycle (SDLC).

• You have experience working with web application firewalls to help protect applications, assess coverage, and support tuning rules to mitigate common attack patterns. 

• You have experience embedding application security practices into CI/CD pipelines, enabling early detection of vulnerabilities and close collaboration with engineering teams throughout the development lifecycle. 

• You have collaborated closely with engineering teams to clearly communicate security findings, explain vulnerabilities, attack paths, and mitigations, and support the implementation of effective fixes for both technical and non-technical audiences. 

• You are self-motivated, proactive, and take strong ownership of your work, operating effectively in a remote environment while maintaining a collaborative, team-focused mindset. 

Nice-to-have experience

• You have experience in JavaScript and TypeScript, including the ability to read, understand, and reason about modern web application codebases. 

• You have experience working with Cloudflare, including its hosting and Web Application Firewall (WAF) capabilities, to help secure and operate internet-facing applications. 

• You have experience testing and securing GraphQL, REST APIs, including understanding common GraphQL/REST-specific attack vectors and security considerations. 

• You have experience or a strong interest in Web3 security testing, including assessing smart contracts, blockchain-based applications, or Web3 integrations. 

• You have an interest in agentic engineering, including emerging patterns in autonomous systems, tooling, or workflows, and their security implications. 

 

 

Bonus Points

👉 Optional extras that would help a candidate stand out (keep this short).

• You contribute or have contributed to the security community through open source involvement, participation in CTFs, or speaking at local information security meetups and conferences. 

• Your background includes experience working with disruptive technologies and successfully launching products, ideally within FinTech, SaaS, or Crypto. 

• You hold one or more security relevant certifications such as OSCP or OSWE.