AppSec Vulnerability Management Enginee
Join Replit, the agentic software creation platform empowering millions worldwide to build applications with natural language. We're democratizing software development, breaking down traditional barriers, and now, we need your expertise to secure this revolution.
About the Role: Guardian of the Codebase
We are seeking a proactive and skilled mid-level AppSec Vulnerability Management Engineer with a strong software development background to fortify Replit's ecosystem. In this critical role, you won't just bridge the gap—you'll forge a robust connection between security, compliance, and engineering teams. You'll be at the forefront of identifying and mitigating application vulnerabilities, meticulously maintaining software supply chain integrity, and ensuring our platform adheres to the strictest regulatory compliance frameworks.
Beyond proactive defense, you will be a vital technical responder during security incidents, deploying real-time countermeasures to protect our users and our innovative software landscape.
What You'll Do: Impact & Innovation
Core Responsibilities
Vulnerability Scanning & Triage: Lead our proactive defense by performing periodic application security scanning. Deeply analyze results, prioritizing flaws based on CVSS scores, real-world exploitability, and system exposure to ensure critical risks are addressed first.
Compliance-Driven Tracking: Champion compliance excellence. Meticulously track, document, and manage vulnerabilities in strict adherence to compliance SLAs (e.g., SOC 2, ISO 27001, PCI-DSS). Maintain audit-ready evidence of remediation timelines and exception approvals.
Executive Reporting & Alerting: Drive critical insights by escalating and reporting severe exposures directly to the CISO and senior leadership. Develop and maintain dynamic dashboards and alerting mechanisms that visualize vulnerability status, risk trends, and our overall compliance posture.
Software Supply Chain Security: Take ownership of the organization's Software Bill of Materials (SBOM). Continually update SBOM inventories to ensure compliance with modern regulatory requirements and robust dependency tracking. Help Replit mature through various SLSA levels for supply chain security.
Remediation Collaboration: Act as a security partner, collaborating closely with development teams to provide clear, actionable mitigation paths. When necessary, roll up your sleeves to directly review, write, and patch code to swiftly resolve security flaws.
Tooling Integration: Optimize our automated defenses. Configure and fine-tune automated security testing tools within CI/CD pipelines, significantly reducing false positives for engineering teams and streamlining the development process.
Incident Response Support: Stand ready as a first responder. Assist Incident Response teams during active breaches or security incidents, helping to develop and implement immediate, real-time code or infrastructure countermeasures to neutralize threats.
Required Skills & Experience: Your Toolkit for Success
Experience: 5 years of experience in Application Security, DevSecOps, or Software Engineering roles.
Development Background: Solid foundational experience working in a software development capacity.
Code Literacy: Proven ability to read, understand, and safely patch security flaws in JavaScript/TypeScript, Python, and Go.
Build System Expertise: Strong familiarity with build systems, package managers, and compilation workflows across multiple languages and frameworks.
AppSec Tooling Expertise: Hands-on experience operating SAST, SCA, and Secret Scanning tools (such as Snyk, Socket, Wiz Code, Semgrep, or Checkmarx).
Compliance Awareness: Deep understanding of how vulnerability management maps to critical security compliance frameworks like SOC 2, ISO 27001, or NIST.
What We Value: Our Operating Principles
Systems Thinking: The ability to see the "big picture" and understand how security decisions impact the entire stack.
Technical Influence: The ability to drive technical alignment across the organization through expertise and collaboration rather than direct authority.
Autonomy: Comfortable leading major technical initiatives and driving outcomes with minimal oversight.
Problem-Solving Mindset: A passion for breaking down complex security challenges into elegant, scalable engineering solutions.
This is a full-time role based in our Foster City, CA office, with an in-office requirement of Monday, Wednesday, and Friday.
Full-Time Employee Benefits Include: 💰 Competitive Salary & Equity Want to learn more about what we are up to? Meet the Replit Agent Interviewing + Culture at Replit Operating Principles To achieve our mission of making programming more accessible around the world, we need our team to be representative of the world. We welcome your unique perspective and experiences in shaping this product. We encourage people from all kinds of backgrounds to apply, including and especially candidates from underrepresented and non-traditional backgrounds.
💹 401(k) Program with a 4% match (US Only)
⚕️ Health, Dental, Vision and Life Insurance
🩼 Short Term and Long Term Disability
🚼 Paid Parental, Medical, Caregiver Leave
🏝 Flexible Time Off (FTO) + Holidays
🚗 Commuter Benefits (In-Office Only)
📱 Monthly Wellness Stipend
🧑💻 Autonomous Work Environment
🖥 In Office Set-Up Reimbursement (In-Office Only)
🚀 Quarterly Team Gatherings
☕ In Office Amenities (In-Office Only)
Replit: Make an app for that
Replit Blog
Amjad TED Talk
Reasons not to work at Replit