Who we're looking for

We are looking for an experienced, self-driven Senior Application Security Engineer to join our engineering organization. You will not just "run tools" - you will own the application security roadmap. You will act as a bridge between security, development, and DevOps, ensuring that our SaaS platform remains secure by design without slowing down our release velocity. We need a builder and a strategist. You will be responsible for maturing our security posture according to the BSIMM framework, automating security within our CI/CD pipelines, and fostering a culture of security among our developers.

Key Responsibilities

• Build the Program: Spearhead the creation and evolution of our Application Security program, utilizing the BSIMM (Building Security In Maturity Model) framework to measure growth and identify gaps.

• Secure Design & Threat Modeling: Partner with engineering squads during the design phase. Initially, develop threat models for new features and architectural changes to identify flaws before code is written. Eventually, move to the coach role, and review the threat models produced by security champions embedded in development teams.

• Tooling & Automation: Select, configure, and manage the AppSec tool stack (SAST, DAST, SCA, IAST). Focus on "shifting left" by integrating these tools directly into our CI/CD pipelines to provide rapid feedback to developers.

• Vulnerability Management: Triage automated findings to filter out false positives. Work directly with developers to explain the risk of vulnerabilities and provide specific code-level remediation guidance in Ruby or TypeScript.

• Policy & Governance: Create and enforce pragmatic application security policies, architecture, and coding standards to ensure delivery of a secure product.

• Security Champions: Build and mentor a "Security Champions" program within the development teams to scale security knowledge across the organization.

• Incident Support: Assist the infrastructure/SecOps teams during security incidents, specifically regarding application-layer vector analysis and forensic code reviews.

Our expectations

• Engineering Background: 5+ years of total experience in software engineering or DevOps. You must have a software engineering background.

• AppSec Experience: 3+ years of dedicated experience in Application Security.

• Tech Stack Proficiency: Strong familiarity with Ruby on Rails and TypeScript. You should be able to spot a logical vulnerability in a Rails controller or an XSS flaw in a front-end component during a manual code review.

• Core Knowledge: Deep understanding of the OWASP Top 10, OWASP API Top 10, CWE Top 25, and common attack vectors (SQLi, XSS, SSRF, IDOR, Deserialization).

• CI/CD Integration: Proven experience integrating security tools into modern CI/CD pipelines (e.g., GitHub Actions, GitLab CI, Jenkins).

• Autonomy: You are a self-starter who can define your own priorities, manage stakeholders, and drive projects to completion without micromanagement.

• Experience with Docker and Kubernetes, and a deep understanding of container security and EKS best practices.

Nice to Have

• Our preference is for a builder archetype, but we would consider candidates with breaker/red team experience.

• Cloud Security: Experience securing applications deployed on AWS.

• Compliance: Experience assisting with SOC2 Type II, ISO 27001, and GDPR compliance audits.

Why Join Us?

• People-centric benefits: flexible remote work arrangements, remote-first processes, and a learning budget you control, сompetitive salary and benefits package.

• Strong engineering culture: autonomy, psychological safety, and a bias for action.

• Opportunity to work with a dynamic and innovative team dedicated to driving meaningful change.

How to Apply

Does this position sound like a good fit? Email us at recruitment@taxdome.com

or connect with our recruiters:

Inessa | Telegram

We sincerely appreciate all applications; however, only candidates chosen to proceed to the next stage will be contacted.