Application Security Engineer – Threat Modeling & Risk/Privacy Alignment

Application Security Engineer – Threat Modeling & Risk/Privacy Alignment

Requirements

• Bachelor’s degree in Computer Science, Information Security, or a related field, or equivalent practical experience.
• Minimum 3 years of specific, hands-on experience in Application Security.
• AI and Automation-first mindset.
• Deep understanding of web application and API security principles, including authentication, authorization (OAuth, OpenID Connect, JWT), session management, and access control models.
• Demonstrated ability to translate technical security risks into clear, concise business terms for diverse audiences, including legal, privacy, and product stakeholders.
• Experience collaborating directly with product teams to integrate security into product roadmaps and balance security with user experience.
• Strong knowledge of common web application vulnerabilities (OWASP Top 10).
• Excellent communication, interpersonal, and presentation skills.

Responsibilities

• Lead and facilitate formal threat modeling exercises (e.g., STRIDE, LINDDUN, Attack Trees) for new and existing features, APIs, data flows, and architectural designs, translating technical risks into actionable insights.
• Act as a key liaison between engineering, product, legal, and privacy teams, effectively translating technical security risks into business terms and collaborating to find balanced solutions that meet both security and product goals.
• Provide deep expertise and guidance on secure authentication mechanisms, session management, and complex access control models relevant to a multi-tenant SaaS platform.
• Partner closely with product managers and engineering teams to embed security requirements early in the product development lifecycle, balancing user experience (UX) with robust security.
• Address security challenges unique to a SaaS environment, including multi-tenancy isolation, secure API design principles, prevention of horizontal privilege escalation, and secure data handling.
• Conduct hands-on security testing of APIs using various tools (e.g., Burp Suite, Postman, custom scripts) to identify vulnerabilities and ensure secure communication and data exchange.
• Define and document detailed security requirements and controls for new features and system enhancements.
• Provide expert security consultation and guidance to development teams on secure coding practices, architectural patterns, and vulnerability remediation.
• Stay current with the latest security threats, industry best practices, and emerging technologies, advocating for their adoption to enhance our platform’s security posture.

Preferred Qualifications

• Relevant security certifications (e.g., CSSLP, GCSA, CISSP).
• Experience with privacy frameworks and regulations (e.g., GDPR, CCPA).
• Familiarity with cloud security architecture (AWS, Azure, GCP).
• Experience with security champions programs.