Senior Application Security Engineer

Description
Drata's Senior Application Security Engineer is Drata's full time in-house resident hacker, responsible for identifying and mitigating application and product security of Drata's Trust Management Platform. This scope includes identifying and mitigating application and product security risks, implementing application and product security controls, providing guidance to development teams to help ensure secure coding practices, and directly assisting in changes needed to mitigate these risks and vulnerabilities.
What you'll do:

• Be Our Resident Hacker and Internal Red Team - Hack All The Things! Conduct security assessments of applications, including code reviews, penetration testing, and red team exercises. Work with external partners to accomplish these things as part of annual and ongoing assessments.
• Set Application Security Expectations: Develop and implement security policies, standards, guidelines, and procedures to ensure the safety and protection of Drata's data, applications, platform, and supporting systems. Collaborate with development teams to integrate security into the software development life cycle (SDLC).
• Build Security Into Everything: Work closely with internal teams to ensure application security is integrated throughout the software development lifecycle, system administration, and business operations. Collaborate with cross-functional teams to ensure security compliance across all departments and systems. Work with Drata's product and engineering teams during design to help ensure security is baked into the application.
• Vulnerability Management: Conduct regular vulnerability assessments, and identify and mitigate security vulnerabilities in applications in a timely manner.
• Application Security Incident Response: Lead investigation and response efforts for application-level security incidents.
• Foster Trusted Partnerships Across Engineering: Build strong, collaborative relationships with application and platform teams. Act as an embedded security partner-offering practical, empathetic guidance to drive secure development without blocking innovation.
• Deploy and Advance Application Security Capabilities: Continuously research, evaluate, and implement cutting-edge application security technologies.
• Reporting: Prepare and present regular application security reports to management. Communicate application security vulnerabilities and remediation efforts to relevant stakeholders.

What you'll bring:

• Bachelor's degree in Computer Science or related field (or equivalent experience)
• 5+ years of experience in application security, software development, or related field
• Strong knowledge of secure coding practices, web application security, and threat modeling
• Experience with common web application vulnerabilities and remediation techniques
• Strong knowledge of web application development frameworks and technologies including REST, Node, Javascript, Typescript, and React
• Experience with security testing tools such as Burp Suite and OWASP ZAP
• Experience with application observability tools such as Datadog
• Strong problem-solving and analytical skills
• Strong verbal and written communication skills

Benefits:

• Healthcare: 90-100% paid premiums for medical, dental, and vision plans for employee and dependents + on demand health care concierge
• HSA, FSA, & DCFSA: Pre-tax savings plans for healthcare and dependent care, with up to a $600 annual employer contribution to the HSA plan (if enrolled in HSA medical plan)
• 100% paid short and long term disability plus life + AD&D benefits
• Learning & Development: $500 annually towards professional development opportunities + $250 annually towards personal development opportunities
• Flexible Time Off: Flexible vacation policy for strong, fully charged batteries
• 16 Weeks Paid Parental Leave: An inclusive policy to ensure you have time with your newborn, newly adopted, or foster child (available after six months of employment)
• Work Remotely: Flexible hours and work from home + $1,000 annually to cover necessary business related items for your home office
• 401K: Reach your financial goals while reducing your taxes

This role will receive a competitive base salary, benefits, and stock, typically in the form of Restricted Stock Units (RSUs). The applicable salary range for each US-based role is based on where the employee works and is aligned to one of 3 tiers based on the cost of labor for that geographic area. The expected salary ranges for this role are below, subject to change.
Tier 1: $166,840 - $206,200
Tier 2: $150,280 - $185,600
Tier 3: $133,535 - $165,000
You can view which tier applies to where you plan to work here. A variety of factors are considered when determining someone's leveling and compensation-including a candidate's professional background and experience. These ranges may be modified in the future and final offer amounts may vary from the amounts listed above.
Drata is on a mission to serve as the trust layer between great companies.
Drata is a trust management platform that uses AI-driven automation to modernize governance, risk, and compliance, helping thousands of businesses develop a more secure, proactive, and risk-aware organization to continuously maintain trust with customers.
We all recognize the importance of earning and keeping the trust of our customers when it comes to protecting their data. We know how burdensome achieving and maintaining a strong GRC posture can be with the rise in compliance regulations. It's a manual, redundant, error-prone, and unscalable process - and it only grows more complex and expensive over time.
Our team of SaaS, security, compliance, and audit experts have built a better way - with automation
Employment at Drata is based solely upon individual merit and qualifications directly related to professional competence. We strictly prohibit unlawful discrimination or harassment on the basis of race, color, religion, veteran status, national origin, ancestry, pregnancy status, sex, gender identity or expression, age, marital status, mental or physical disability, medical condition, sexual orientation, or any other characteristics protected by law. We also make reasonable accommodations to meet our obligations under laws protecting the rights of the disabled.