Onebrief is hiring an Application Security Engineer to own the security and compliance posture of our software products and platform. You will identify, triage, and fix security issues within the application, platform, and deployed infrastructure.

What You'll Do

Find vulnerabilities in software by reviewing PRs, performing code audits, and utilizing static analysis.
Use dynamic analysis, fuzzers, and code reviews to find weaknesses and work with developers to patch them.
Fix vulnerabilities across the full stack from browser to kernel.
Utilize vulnerability scanners to find unpatched components and identify configuration errors.
Work with platform engineers to harden customer environments and utilize best practices.
Advise on network configuration, identity and access management, and infrastructure security.
Review identity and access management, logging, auditing, and monitoring to craft layered defenses.
Work with Cybersecurity analysts to ensure compliance with corporate/Federal standards like SOC II, NIST, and FedRamp Moderate/High.
Mentor other engineers on best security practices and share news of vulnerable libraries and compromises.
Engage with the community on active threats and trends in exploit development and malware.
Work to improve processes to shift security 'left' and identify vulnerabilities earlier in the design, development, and deployment lifecycle.

What We're Looking For

5+ years of experience in Application Security, Cybersecurity Engineering, Software Engineering, or a related field.
U.S. citizenship required.
A strong understanding of Linux, containerization and orchestration, and virtual machines.
Networking fundamentals: core protocols and secure configurations.
A deep understanding of incident response processes, with experience conducting root cause analyses.
Clear, concise writing; strong documentation habits and async communication.
Familiarity with DevOps practices, CI/CD.
Familiarity with security tooling such as Static & Dynamic Analysis (SAST/DAST).
Familiarity with networking, web protocols.
Working grasp of PKI, TLS and cryptographic primitives.

Nice to Have

Experience ensuring security in high-compliance environments like PCI DSS, HIPAA, or NIST.
Security clearance greatly desired (Active Secret or Top Secret Clearance is a plus, SCI eligibility is a plus).
JavaScript Experience.
Security+ Certification or other IAT Level II equivalent.
CSSLP or CISSP.
Familiarity with DoD Software Lifecycle, RMF/ATO, STIG.
Pentesting / Red Team experience.
Familiarity with web authentication/authorization technologies such as SSO, SAML, OIDC, JWT.
Experience with Kubernetes and modern Cloud-Native deployment strategies.
Experience with compliance frameworks/processes (RMF, STIGs/SRGs, PCI DSS, HIPAA, ICD 503).
Security considerations/design for air-gapped environments.
Active Security+ or another DoD 8570.01-approved security credential, or the ability to obtain valid credentials within 3 months of employment.

Technical Stack

Javascript/Browser security, Network Security, Firewalls, Intrusion Detection
Static Analysis, Dynamic Analysis, Container Scanning
Kubernetes, Docker, Helm, Ansible, Terraform
Linux, AWS, DoD compliance
Monitoring and Observability tools

Team & Environment

You will be part of the Infrastructure & Security team, reporting to the Director of Infrastructure. Our culture emphasizes ownership, excellence, and playing to win with the seriousness and camaraderie of an Olympic team.