Senior Application Security Engineer

This is a fully remote position, open to applicants in Canada.

📋 Description

• Take ownership of and consistently enhance the secure software development lifecycle for Apollo applications, ensuring that security is integrated into design, implementation, and deployment processes.

• Conduct application security reviews, threat modeling, and thorough code-level analysis for high-impact products, platforms, and AI features prior to their launch.

• Offer practical security architecture guidance to Engineering, Product, and IT teams.

• Assist in defining and maintaining application-security guardrails, secure design expectations, code review standards, and risk models for both new and existing systems.

• Lead a rigorous vulnerability management process across internal reviews, bug bounty initiatives, penetration tests, SCA/runtime findings, and other research signals, ensuring that findings are validated, prioritized, routed correctly, and tracked through remediation and verification within established SLAs.

• Go beyond merely identifying issues: analyze the code, clarify root causes, suggest the safest fixes, and directly implement or support remediation for complex vulnerabilities when necessary.

• Engage in hands-on validation and offensive security testing of applications and fixes, which includes exploit development, bypass testing, adversarial thinking, and targeted red-team-style exercises to ensure that remediations address the root cause rather than just the initial symptoms.

• Work with various application security challenges typical in modern SaaS environments, such as authentication and authorization weaknesses, access control risks, OAuth and CSRF design flaws, SSRF, cryptographic and verification issues, information disclosure and data exposure risks, unsafe execution and deserialization patterns, and dependency or runtime vulnerabilities.

• Make clear, risk-based severity assessments using factors like exploitability, data sensitivity, customer impact, and blast radius.

• Configure and enhance AppSec tools and integrations, including SAST configurations, ignore lists, dashboards, and other controls that provide useful coverage without excessive noise.

• Select, develop, or refine security tools, small automations, and workflow enhancements that minimize manual effort and scale AppSec operations effectively.

• Leverage AI to automate, transform, and scale security and engineering-adjacent processes where it significantly enhances speed, consistency, or signal quality, while still validating outputs with strong engineering judgment.

• Integrate AI-specific security checks into SSDLC reviews and code analysis, focusing on input and output handling, AI-exposed APIs, prompt and response guardrails, and pathways for abuse or data exfiltration.

• Collaborate cross-functionally on AI security requirements and controls to ensure that AI systems and AI-powered features are designed, deployed, and operated securely.

• Support and promote security enablement for engineers and security champions, covering topics such as secure coding, AppSec, and AI safety content.

• Provide actionable remediation guidance, secure patterns, and examples that enable engineering teams to resolve issues quickly and effectively.

• Work closely with Engineering, Product, Platform, Data, Legal, and other security teams to ensure AppSec priorities are aligned with business risk and product development speed.

• Create clear documentation, metrics, and written narratives that enhance AppSec visibility, observability, and decision-making.

⛳️ Requirements

• A minimum of 5 years of experience in software engineering or application security, with substantial hands-on depth in modern SaaS environments.

• Strong software development capabilities with proficiency in reading, writing, and deploying production code; experience with Ruby is highly desirable, while Python or similar scripting skills are a plus.

• Solid understanding of Linux and cloud fundamentals, preferably with experience in GCP-backed environments.

• Thorough knowledge of common AppSec issues, secure design principles, secure authentication and authorization patterns, vulnerability management, and developer security tools.

• Proven ability to perform in-depth code reviews, penetration testing, and exploit-oriented validation, with the capability to either directly fix vulnerabilities or collaborate closely with engineers to implement lasting remediations that withstand bypass attempts and variant analysis.

• Experience managing findings from bug bounty programs, penetration tests, internal reviews, or automated security tools until closure and verification.

• Familiarity with AI-assisted tools, automations, APIs, or structured workflows that enhance engineering or security processes at scale.

• Experience securing AI-powered systems or features, including AI API exposure, handling of prompts and responses, data protection measures, misuse scenarios, and monitoring expectations.

• Excellent written and verbal communication skills, along with strong stakeholder management and influencing abilities across both technical and non-technical partners.

🏝️ Benefits

• Equity

• Company bonus or sales commissions/bonuses

• 401(k) plan

• At least 10 paid holidays per year

• Flexible PTO

• Parental leave

• Employee assistance program and wellbeing benefits

• Global travel coverage

• Life/AD&D/STD/LTD insurance

• FSA/HSA and medical, dental, and vision benefits