Senior Application Security Engineer

About The Role

Pagoda’s growing security team is looking for an experienced Senior Application Security Engineer to focus on the advancement of modern application security practices and partner closely with our engineering and product teams to provide security recommendations and identify security issues throughout the software development lifecycle. This includes secure design reviews, threat modeling, secure code review, and penetration testing.

This team member will be responsible for the security and integrity of our applications, possessing a deep understanding of software vulnerabilities and the ability to develop effective security solutions. This role requires a strong technical background, excellent problem-solving skills, and the ability to collaborate with cross-functional teams to implement robust security measures.

What You'll Be Doing

• Support the Pagoda Software Development Lifecycle as an application security subject matter expert through design review, threat modeling, code review, and penetration testing
• Collaborate and advise engineering teams on application security best practices and vulnerability remediation
• Perform deep-dive security reviews to ensure all Pagoda products and services following secure design principles across our product portfolio (web, mobile, and APIs)
• Create and deliver hands-on software security training to engineering teams to increase security awareness
• Participate in on-call rotation to support engineering teams during incidents
• Role activities:
  
  • Manual source code review
  • Adhoc Pen Testing
  • WebApp/dApp PenTesting
  • Secure program design and implementation review
  • Threat modeling
  • Continuous secure assurance activities
  • Risk identification and categorization / management
  • Engineering education and engagement
  • Ownership of internal SAST/DAST toolset[s]

What We're Looking For

• 8 years of experience in application security 
• Has set up or helped guide the creation of an Application Security program from scratch.
• Ability to perform design reviews, threat modeling, secure code reviews, or penetration testing with an attacker mindset
• Familiarity with modern SAST/DAST tooling.  Snyk and Stackhawk are important.
• Ability to review and dissect a Bug Bounty submission.  Craft a fix and work with appropriate teams to implement
• Strong background in application security best practices and familiarity with common vulnerabilities (e.g. SSRF, race conditions, privilege escalations, etc.)
• Familiarity with and ability to understand business objectives, business context, and security risk
• Proven ability to communicate effectively with developers

We'd Love If You Have

• A passion for security and Web3
• Know Linux backwards and forwards
• Experience in building lasting connections with development teams
• Experience in a startup environment
• Professional certifications e.g. CISSP  
• Familiarity with using one or more programming/scripting languages (e.g., Python, Java, etc.)

Here’s What Our Interview Process Looks Like

Our interviews take place via Zoom and typically consists of the following stages:

• Recruiter Call
• Hiring Manager Call
• 1st Round
  • Bug Bounty Interview
  • Technical Assessment with Engineering 
• Final Round
  
  • Meet with CTO
  • Pagoda Values Interview

Compensation

The base salary range for this role is $176,000 - $200,000. This reflects the minimum and maximum range across all US locations. This does not include bonus, incentives, or benefits.

The actual base pay is dependent upon many factors, such as: leveling, relevant skills, and work location. If you are based outside of the US, there are other geographic considerations that may impact your final compensation. Your recruiter can share more about the compensation and benefits applicable to your preferred location during the hiring process.