Senior Security Engineer II, Application Security

This is a fully remote position, open to applicants in Washington.

📋 Description

• Perform security evaluations and threat modeling for AI-integrated product functionalities (LLM workflows, agentic pipelines, model APIs) with an understanding of AI-specific risk categories such as prompt injection, model manipulation, and runtime control gaps. Simultaneously, leverage AI and automation to enhance capabilities by developing tools, pipelines, and integrations that broaden the team's impact, expedite triage efforts, and improve risk visibility that manual processes alone cannot achieve.

• Take ownership of comprehensive security assessments for high-risk features and services (threat modeling, architecture review, targeted code review, and security testing) within the product development lifecycle. Collaborate directly with engineering teams to identify and mitigate risks before deployment, possessing the technical credibility to influence design choices rather than merely documenting issues.

• Manage and enhance the security scanning controls integrated within Smartsheet's GitLab pipelines (SAST, SCA, secrets, IaC scanning). Optimize tools, engage teams regarding findings, and develop automation that minimizes false positives and enhances developers' experience with security feedback.

• Act as the expert validation layer for Smartsheet's bug bounty initiative, reproducing and evaluating intricate, multi-step researcher submissions that necessitate authenticated context and comprehensive platform knowledge. Make defensible severity and payout determinations while overseeing program operations, including researcher engagement, metrics, and ongoing improvements.

⛳️ Requirements

• Over 8 years of experience in application security, demonstrating a history of managing complex, multi-capability roles in product security or AppSec engineering.

• Proficient in one or more modern programming languages (Java, Python, TypeScript/JavaScript, Go, Ruby, or equivalent); you can identify security-relevant patterns independently of tools and create automation that is widely adopted.

• Practical experience in securing AI-integrated applications (LLM systems, agentic workflows, model APIs) along with proven experience in deploying AI and automation to enhance security functions or extend team capabilities. You possess both sets of skills.

• Conduct threat modeling, architecture reviews, and code reviews for complex SaaS features; you generate actionable findings for engineering teams and maintain sufficient technical credibility to influence design decisions, rather than merely documenting them.

• Independently validate complex, multi-step authenticated vulnerabilities; you verify scanner alerts and uncover gaps they may overlook.

• Experience as an operator, active researcher, or both; direct involvement in triage, severity calibration, and researcher communication.

• Familiarity with SAST, SCA, secrets, and IaC scanning within modern pipelines, along with experience in engaging teams on findings and enhancing signal quality.

• Knowledge of AWS, GCP, or Azure sufficient to connect application-layer risks to the underlying infrastructure; you comprehend where the application ends and the cloud begins.

• Legally authorized to work in the U.S. on a continuous basis.

• Bachelor’s or Master’s degree in Computer Science, a related field, or equivalent industry experience.

🏝️ Benefits

• Employer-subsidized medical/vision and dental coverage for full-time employees.

• 401k Match to assist you in saving for your future (50% of your contribution up to the first 6% of your eligible pay).

• Monthly stipend to enhance your work and productivity.

• Flexible Time Away Program, along with Sick Time Off.

• U.S. employees are automatically enrolled in Smartsheet-sponsored life insurance, short-term, and long-term disability plans.

• U.S. employees receive 12 paid holidays each year.

• Up to 24 weeks of Parental Leave.

• Personal paid Volunteer Day to give back to our community.

• Opportunities for professional growth and development, including access to Udemy online courses.

• Company Funded Perks, which include a counseling membership, local retail discounts, and your own personal Smartsheet account.

• Telecommuting options available from any registered location in the U.S. (role-specific).