Senior Application Security Engineer

This is a fully remote position, open to applicants in India.

📋 Description

• Oversee security evaluations for application architecture and system design.

• Assess designs related to authentication and authorization models, data access patterns, API exposure, and trust boundaries.

• Deliver clear and actionable guidance to engineering teams.

• Proactively identify risks and influence secure design choices.

• Conduct security assessments prior to production and go-live phases.

• Determine whether a feature is safe for launch and identify risks that need to be mitigated or accepted.

• Collaborate with engineering and product teams to prioritize fixes and establish compensating controls.

• Serve as a security approver and advisor for production releases.

• Design and evaluate implementations of OAuth2, OIDC, and SAML.

• Identify and address broken access control and privilege escalation issues.

• Lead security reviews for REST, GraphQL, and event-driven APIs.

• Recognize risks such as Broken Object Level Authorization (BOLA), injection vulnerabilities, and data leakage.

• Establish standards for API authentication, input validation, rate limiting, and abuse protection.

• Evaluate security risks in AI-driven features and systems.

• Lead the identification of vulnerabilities through Static analysis (SAST) and Dependency scanning (SCA).

• Assess and map the application attack surface.

• Integrate and enhance security tools within CI/CD pipelines.

• Enhance developer experience by implementing secure defaults.

⛳️ Requirements

• Over 10 years of experience in Application Security, Security Engineering, or Software Engineering with a strong emphasis on security.

• Demonstrated experience in conducting security architecture/design reviews and Go-live/production readiness security assessments, with a preference for familiarity with cloud platforms (AWS, GCP, Azure).

• Strong knowledge of the OWASP Top 10, modern web vulnerabilities, secure system design, and threat modeling.

• Experience with SAST tools (e.g., SonarQube, Checkmarx) and SCA tools (e.g., Snyk, Dependabot).

• Ability to evaluate real-world risks and prioritize effectively in a SaaS context.

• Understanding of risks associated with LLM (prompt injection, data leakage) and AI system architecture.

• Exposure to securing AI features or platforms.

• Familiarity with MCP or similar AI integration methodologies.

• Deep expertise in the following areas:

• Authentication and Authorization

• OAuth2, OIDC, SAML

• RBAC / ABAC / least privilege models

• API Security

• REST / GraphQL

• Common API attack vectors (BOLA, injection, data exposure)

• Application Security

• Secure coding practices

• Input validation, output encoding, session management

🏝️ Benefits

• Health Coverage: Employee and immediate family members.

• Time Away: Flexible paid time off and 10 company-paid holidays annually.

• Family Support: Exceptional paid leave for birth parents, non-birth parents, and caregivers. Onit also provides surrogacy and adoption reimbursement.

• Income Protection: 100% employer-paid life and disability insurance.

• Additional Coverage Options: Voluntary benefits including hospital indemnity, critical illness, and accident insurance.

• Tax-Advantaged Accounts: Flexi, NPS.

• Community Engagement: One paid volunteer day each year to give back to the community.