Level Up National Security with Onebrief: Application Security Engineer
Imagine a role where your passion for cybersecurity directly impacts national security. At Onebrief, we're not just building software; we're crafting a force multiplier for military staffs, empowering them to be faster, smarter, and more efficient. We're a remote-first company with a $1.1B valuation, backed by top-tier investors like Battery Ventures and General Catalyst. If you're ready to bring your security expertise to a mission-driven organization, keep reading.
About the Role
We're seeking an Application Security Engineer to join our elite Infrastructure & Security team. Reporting to the Director of Infrastructure, you'll collaborate closely with SREs, Software Engineers, DevOps Engineers, Platform Engineers, Customer Relations, and Cybersecurity Analysts to fortify the Onebrief application and its underlying infrastructure.
Your mission? To identify, triage, and remediate security vulnerabilities, ensuring our platform remains impenetrable.
What You'll Do
Hunt for Vulnerabilities: Embrace an attacker's mindset to proactively review pull requests, conduct in-depth code audits, and leverage static analysis tools to pinpoint vulnerable code patterns that could be exploited.
Patch Across the Stack: From browser to kernel, you'll identify, fix, and prevent vulnerabilities. Utilize vulnerability scanners to detect unpatched components and configuration errors. Collaborate with platform engineers to harden customer environments and enforce security best practices.
Harden Infrastructure: Review identity and access management, logging, auditing, and monitoring to create a layered defense for our corporate infrastructure and customer deployments. Work with Cybersecurity analysts to ensure compliance with SOC II, NIST, and FedRamp Moderate/High standards.
Elevate the Team: Mentor fellow engineers on security best practices, share critical vulnerability intelligence, and engage with the community on emerging threats. Drive process improvements to "shift security left," identifying vulnerabilities early in the software lifecycle.
You're a Perfect Fit If:
You're a security-obsessed individual who understands that software vulnerabilities pose a serious business risk. You might enjoy dissecting incident reports and even participate in security conferences like DefCon or OWASP meetups. You likely have a background in software engineering, DevOps, or systems administration and are familiar with cloud-native technologies like Kubernetes. Whether your experience lies in game cheat detection, bug bounties, or traditional enterprise security, we want to hear from you.
What We're Looking For:
5+ years of experience in Application Security, Cybersecurity Engineering, Software Engineering, or a related field, ideally with firsthand experience in high-compliance environments like PCI DSS, HIPAA, or NIST.
U.S. citizenship required; security clearance highly desired.
Strong understanding of Linux, containerization, orchestration, and virtual machines.
Networking fundamentals: core protocols and secure configurations.
Deep understanding of incident response processes, including root cause analysis and continuous improvement.
Excellent written and verbal communication skills.
Expertise in core skills and technologies: JavaScript/Browser security, Network Security, Firewalls, Intrusion Detection, Static Analysis, Dynamic Analysis, Container Scanning, Kubernetes, Docker, Helm, Ansible, Terraform, Linux, AWS, DoD compliance, and Monitoring and Observability tools.
Bonus Points:
Experience with compliance frameworks (RMF, STIGs/SRGs, PCI DSS, HIPAA, ICD 503).
Security design for air-gapped environments.
Active Security+ or another DoD 8570.01-approved security credential (or the ability to obtain one within 3 months).
JavaScript experience.
CSSLP or CISSP certification.
Familiarity with DoD Software Lifecycle, RMF/ATO, STIG.
Pentesting/Red Team experience.
Familiarity with web authentication/authorization technologies (SSO, SAML, OIDC, JWT).
Experience with Kubernetes and modern Cloud-Native deployment strategies.
Familiarity with DevOps practices, CI/CD
Working grasp of PKI, TLS and cryptographic primitives
Clearance, Location, and Travel:
This role is remote.
Occasional (quarterly or less) on-site activities at customer locations may be required.
Must be a US Citizen, eligible for a Secret Security Clearance. Active Secret or Top Secret Clearance is a plus, SCI eligibility is a plus.
Ready to make a real impact? Join Onebrief and help us secure the future. Apply now!