Application Security Engineer
At WRITER, we're not just building AI; we're securing the future. We're looking for a passionate Application Security Engineer to join our team and play a critical role in safeguarding our cutting-edge AI and AGI applications. If you're a security professional who thrives on challenges, loves to break things to make them stronger, and wants to make a real impact, this is the role for you.
As our Application Security Engineer, you'll be embedded in the heart of our development process, working alongside talented engineers to build security into our CI/CD pipelines, proactively hunt for vulnerabilities, and help us stay one step ahead of potential threats. You'll be a key player in our DevSecOps journey, ensuring the security of our AI solutions from the ground up.
Your Mission:
Build Pipeline Security (Pre-Deployment): Own and fortify the security of our build pipeline, implementing robust security measures before deployment.
CI/CD Security Champion: Design and implement security gates and checks within our CI/CD pipeline, ensuring that security is a continuous process.
Application Penetration Testing: Conduct in-depth penetration tests to uncover vulnerabilities in our applications, APIs, and model endpoints.
Container Security Expert: Implement and manage container scanning during the build phase to identify and mitigate container-related security risks.
Vulnerability Hunter: Discover and analyze application-layer vulnerabilities, providing actionable insights for remediation.
What You'll Do:
Embed Security in the Build Pipeline: Take ownership of pre-deployment application security, implementing automated vulnerability scanning, container scanning, and custom security gates within our CI/CD pipeline.
Conduct Advanced Application Penetration Testing: Perform comprehensive penetration testing on AI applications, APIs, and model endpoints, simulating sophisticated attacks to validate our security controls.
Automate Security Testing at Scale: Develop scripts, tools, and frameworks to enable continuous security assessment, including SAST, DAST, and SCA integration.
Lead Application-Layer Red Team Exercises: Plan and execute red team engagements that mimic real-world adversary techniques targeting AI systems.
Hunt and Validate Vulnerabilities: Discover, reproduce, and chain vulnerabilities into realistic attack paths, providing actionable remediation guidance to our development teams.
Advise on Security Architecture: Review designs for potential weaknesses, create secure patterns, and identify systemic security issues across our applications.
Collaborate Across Boundaries: Partner with Cloud/Infrastructure on deployment/runtime security, AI Security on threat modeling, and Detection & Response on defensive validation.
What You Bring to the Table:
Deep AppSec Expertise: 8+ years of experience in application security, with a strong emphasis on hands-on testing and vulnerability assessment.
Penetration Testing Prowess: 5+ years of experience conducting penetration tests and security assessments on complex systems.
Proven Vulnerability Discovery: A proven track record of finding and exploiting critical vulnerabilities in real-world applications.
DevSecOps Integration: Extensive experience integrating security into DevOps workflows and CI/CD pipelines.
Strong Programming Skills: Solid programming skills for exploit development, security automation, and custom tool creation.
Web & API Security Expertise: Deep understanding of web application and API security principles, including expertise in cloud-native architectures.
Proficiency with Pen Testing Tools: Mastery of penetration testing tools such as Burp Suite, OWASP ZAP, and custom scripting techniques.
SAST, DAST, and SCA Skills: Experience with static analysis (SAST), dynamic analysis (DAST), and software composition analysis (SCA) tools.
Attack Technique Knowledge: A strong understanding of application-layer attack techniques and exploitation methodologies.
Supply Chain Security Awareness: Experience with supply chain security and build pipeline hardening techniques.
Bonus Points:
Background in software development or DevOps.
Experience testing AI/ML applications.
Security certifications such as OSCP, OSWE, or GWAPT.
Published security research or CVEs.
Experience with purple team operations.
What You *Won't* Own (But Will Partner On):
Deployment Pipeline Security (Cloud/Infrastructure Leads)
Infrastructure-as-Code Security (Cloud/Infrastructure Leads)
Production Runtime Security (Cloud/Infrastructure Leads)
AI Model Security Research (AI Security Leads)
Key Partnerships:
Cloud/Infrastructure: Seamless handoff at the build/deploy boundary. You secure the build; they secure the deploy.
AI Security: Collaborate on threat modeling for AI-specific risks, translating those models into actionable tests within the CI/CD pipeline.
Detection & Response: You proactively find vulnerabilities; they detect attacks in the production environment.
Why WRITER?
At WRITER, we are committed to pushing the boundaries of AI while prioritizing the security of our technology. You'll be working alongside a team of passionate engineers and security experts in a fast-paced, innovative environment where your contributions will have a direct and significant impact.
Benefits & Perks (US Full-Time Employees):
Generous PTO, plus company holidays
Medical, dental, and vision coverage for you and your family
Paid parental leave for all parents (12 weeks)
Fertility and family planning support
Early-detection cancer testing through Galleri
Flexible spending account and dependent FSA options
Health savings account for eligible plans with company contribution
Annual work-life stipends for:
Home office setup, cell phone, internet
Wellness stipend for gym, massage/chiropractor, personal training, etc.
Learning and development stipend
Company-wide off-sites and team off-sites
Competitive compensation, company stock options, and 401k
WRITER is an equal-opportunity employer and is committed to diversity. We don't make hiring or employment decisions based on race, color, religion, creed, gender, national origin, age, disability, veteran status, marital status, pregnancy, sex, gender expression or identity, sexual orientation, citizenship, or any other basis protected by applicable local, state, or federal law. Under the San Francisco Fair Chance Ordinance, we will consider for employment qualified applicants with arrest and conviction records.
By submitting your application, you acknowledge and agree to WRITER's Global Candidate Privacy Notice.