Application Security Engineer

About Opal Security:

At Opal were building modern identity governance for the AI eraintelligent access management that empowers enterprises to move fast while staying secure. Our mission is to bring clarity control and confidence to complex enterprise environments helping teams govern access without slowing down innovation.

The Role:

Most security engineers spend their careers bolting locks onto doors that were already built. This is not that job.

Were hiring an Application Security Engineer to own security across Opals product and platform and yes own means what it sounds like. Youd be our dedicated security engineer embedded directly with engineering writing production code in Go and TypeScript and building security into the product while its still being designed. Youll work closely with a team of engineers that genuinely care about getting this right and a product that happens to be one of the most security-critical tools in enterprise software.

Oh and one more thing: Opal is a security company. We sell access control to organizations that take security seriously. That means your work isnt a cost center its core to what we do.

This role lives on the Platform team and partners closely with Infrastructure Engineering on cloud security. It is explicitly scoped to application and product security enterprise IT compliance and vendor risk management are handled separately.

What Youll Do:

Secure Development Lifecycle -

• Own the secure SDLC end-to-end: threat modeling design reviews code reviews you set the bar

• Run and coordinate app pentests (internal and external) and drive findings to closure

• Build and own SAST/DAST/SCA tooling wired into CI/CD so security ships with the code

• Triage and remediate vulnerabilities from every angle bug bounty internal scans the works

Software Security Engineering -

• Build and maintain the security-critical stuff: encryption services authz enforcement authn flows

• Own the Auth0 Opal integration tokens sessions MFA SSO (SAML OIDC OAuth 2.0)

• Ship production Go and TypeScript to harden APIs enforce least-privilege and close vuln classes for good

• Create shared libraries that make the secure path the easy path for every product engineer

Incident Response & Cloud Security -

• Be first on the scene for security incidents: investigate contain find the root cause fix it

• Partner with Infra on cloud hardening AWS IAM EKS KMS network segmentation

• Level up detection and response by writing detection rules and improving logging and alerting

Security Culture -

• Mentor engineers on secure coding common vuln patterns and security architecture you make the org smarter

• Help set the security roadmap by grounding it in real product risk

• Be the security teammate engineers want to work with a collaborator not a bottleneck

You Might Be a Fit If You:

• Have 4 years in application security or software security engineering

• Actually write production code findings reports are the floor not the ceiling

• Know auth cold: OAuth 2.0 OIDC SAML session management token lifecycle

• Are comfortable in AWS and containerized environments (Kubernetes Docker)

• Bonus points for familiarity with our stack: Go TypeScript React PostgreSQL Redis GraphQL

• Have led complex cross-functional security initiatives from kickoff to completion

• Have run or participated in external pentests and seen findings through remediation

• Thrive on ownership and ambiguity youd rather write the playbook than wait for one

Required Experience:

IC