Application Security Engineer

Please Note: This is a Utah-based hybrid position which will require some regular in-office days each week. Additionally, employment with BambooHR is contingent on passing both a background and credit check. 

Essential Job Duties

We are expanding our security team and seeking a highly experienced and strategic Application Security Engineer with a deep understanding of threat modeling, risk assessment, and cross-functional collaboration. In this critical role, you will be responsible for proactively identifying and mitigating security risks by conducting thorough threat modeling, aligning security efforts with business objectives, and ensuring our platform meets the highest standards of security and privacy, particularly for a multi-tenant SaaS environment.

You will:

• Threat Modeling Leadership: Lead and facilitate formal threat modeling exercises (e.g., STRIDE, LINDDUN, Attack Trees) for new and existing features, APIs, data flows, and architectural designs, translating technical risks into actionable insights.
• Risk & Privacy Alignment: Act as a key liaison between engineering, product, legal, and privacy teams, effectively translating technical security risks into business terms and collaborating to find balanced solutions that meet both security and product goals.
• Authentication & Authorization Expertise: Provide deep expertise and guidance on secure authentication mechanisms, session management, and complex access control models relevant to a multi-tenant SaaS platform.
• Product Security Collaboration: Partner closely with product managers and engineering teams to embed security requirements early in the product development lifecycle, balancing user experience (UX) with robust security.
• SaaS-Specific Security: Address security challenges unique to a SaaS environment, including multi-tenancy isolation, secure API design principles, prevention of horizontal privilege escalation, and secure data handling.
• API Security Testing: Conduct hands-on security testing of APIs using various tools (e.g., Burp Suite, Postman, custom scripts) to identify vulnerabilities and ensure secure communication and data exchange.
• Security Requirements: Define and document detailed security requirements and controls for new features and system enhancements.
• Security Consultation: Provide expert security consultation and guidance to development teams on secure coding practices, architectural patterns, and vulnerability remediation.
• Continuous Improvement: Stay current with the latest security threats, industry best practices, and emerging technologies, advocating for their adoption to enhance our platform's security posture.

What You Need to Get the Job Done

• Bachelor's degree in Computer Science, Information Security, or a related field, or equivalent practical experience.
• Minimum 3 years of specific, hands-on experience in Application Security.
• AI and Automation-first mindset.
• Deep understanding of web application and API security principles, including authentication, authorization (OAuth, OpenID Connect, JWT), session management, and access control models.
• Demonstrated ability to translate technical security risks into clear, concise business terms for diverse audiences, including legal, privacy, and product stakeholders.
• Experience collaborating directly with product teams to integrate security into product roadmaps and balance security with user experience.
• Strong knowledge of common web application vulnerabilities (OWASP Top 10).
• Excellent communication, interpersonal, and presentation skills.

What Will Make Us REALLY Love You 

• Relevant security certifications (e.g., CSSLP, GCSA, CISSP).
• Experience with privacy frameworks and regulations (e.g., GDPR, CCPA).
• Familiarity with cloud security architecture (AWS, Azure, GCP).
• Experience with security champions programs.

What You'll Love About Us

• A Great Company Culture that has been recognized by multiple organizations like Inc, and Salt Lake Tribune
• Comprehensive health, life, and disability insurance 
• Generous leave policies that include 4 weeks of vacation, 12 company holidays, parental leave, and volunteer time off so you can enjoy quality of life
• 401k plans with up to 6% company match
• $2000 Paid-Paid Vacation bonus
• EAP through Headspace
• Check out all our benefits that benefit you 

About Us

At BambooHR, we're building something different: we're building a people intelligence platform that transforms HR and sets people free to do great work! We're a proven market leader driving innovation while building lasting success through thoughtful, sustainable growth. Here, you'll find a place that champions growth: both professional and personal, both individual and collective. 

We invest in potential, giving you the space to stretch your capabilities and turn good ideas into reality while providing the safety net of a supportive, values-driven culture. Our approach combines meaningful work with meaningful lives, offering competitive benefits, professional development, and the flexibility to thrive both in and outside the office. 

What sets us apart isn't just what we do, but how we do it: with openness, integrity, and a shared commitment to doing the right thing. Join us in creating HR software that makes work better for everyone, while we make work better for you.

BambooHR is committed to the full inclusion of all qualified individuals and will ensure that persons with disabilities are provided reasonable accommodations throughout the hiring process.  If you would like to request accommodations, please let your recruiter know.

BambooHR is An Equal Opportunity Employer--M/F/D/V
Because our team members are trusted to handle sensitive information, we require all candidates that receive and accept employment offers to complete a background check before being hired.

For information on California Privacy Policy, click here.