Bayt.com

Submitting more applications increases your chances of landing a job.

Here’s how busy the average job seeker was last month:

Opportunities viewed

Applications submitted

Keep exploring and applying to maximize your chances!

Looking for employers with a proven track record of hiring women?

Click here to explore opportunities now!
We Value Your Feedback

You are invited to participate in a survey designed to help researchers understand how best to match workers to the types of jobs they are searching for

Would You Be Likely to Participate?

If selected, we will contact you via email with further instructions and details about your participation.

You will receive a $7 payout for answering the survey.


User unblocked successfully
https://bayt.page.link/W9iGoskNiCKviS5D9
Back to the job results

Application Security Engineer

Today 2026/09/01
1-9 Employees · Private Security Services
Create a job alert for similar positions
Job alert turned off. You won’t receive updates for this search anymore.
Undo

Job description

Job Purpose


As an Application Security Engineer at Luciq, you will help shape and build our application security program alongside the wider team. This is a hands-on, high-ownership role where you will work closely with product and development teams across the full software development lifecycle — reviewing designs before code is written, identifying risks as features take shape, and ensuring security is embedded into how we build and ship software, not bolted on after the fact. Our stack runs on Ruby on Rails, Go, and Python, deployed on AWS with Terraform managing infrastructure as code and Jenkins powering CI/CD. You will read and review code in these languages — not just rely on scanner output — and work with AWS security services (SecurityHub, Inspector, GuardDuty, CloudTrail, CloudFront) to provide visibility and protection across our infrastructure. The role spans web applications, APIs, our mobile SDK (iOS and Android), cloud, and CI/CD — partnering with engineers, PMs, Platform, and the Security team to make the secure path the default path. This role can be filled at mid-level with a clear growth path to senior-level as you grow into shaping our application security program, or at senior-level if you're already operating at that scope.


You will join a lean Security team, which entails stepping beyond core AppSec for incident triage, addressing customer security questionnaires, or supporting cross-functional cloud and compliance reviews. We value this variety as a core facet of the role; if you are seeking hyper-specialized work restricted strictly to application security, this may not be the right fit.


Job Responsibilities


  • Secure Design & Code Review
    • Run and lead threat modeling sessions with product and engineering teams during feature design. This is a hands-on role with expectations to deliver fixes in the product as needed while enabling other engineers.
    • Conduct security code reviews and architecture reviews across web applications, APIs, and services in Ruby, Go, and Python
    • Leverage AI and make sure that we enable engineers to adhere to security acceptance criteria. Provide guidance to engineers on secure design as we iterate and build the product.
  • Vulnerability Management
    • Validate, triage, and drive remediation of vulnerabilities — partner with engineering teams across the full lifecycle from discovery through SLA support
    • Coordinate with engineering teams on fix verification and root-cause prevention
  • Security Automation in CI/CD
    • Build and maintain automated security testing in CI/CD — SAST, SCA, secret scanning
    • Tune tooling for signal over noise; integrate findings into developer workflows
    • Operate secret-scanning and leaked-credential response workflows
  • Cloud & Infrastructure Security
    • Support cloud security reviews — IAM policies, network segmentation, container/Kubernetes configurations, and Terraform policy-as-code
    • Work with AWS security services (SecurityHub, Inspector, GuardDuty, CloudTrail, CloudFront) to maintain visibility and detection across our infrastructure
  • Supply Chain & Build Security
    • Own dependency risk via SCA, lockfiles, and pinning
    • Drive CI/CD pipeline hardening — build runners, OIDC-to-cloud, artifact signing, SBOM standards
  • Cross-functional Security Enablement
    • Develop secure coding guidelines and reusable patterns that make the secure path the default
    • Drive S-SDLC adoption across engineering teams
    • Review security posture of our mobile SDK across iOS and Android — data handling, transport security, local storage, IPC, encryption, third-party dependency risk, and SDK consumer-facing security defaults
    • Assess security risks in AI/LLM integrations — prompt injection, insecure output handling, trust boundaries in agentic architectures
    • Support compliance initiatives (SOC 2, ISO 27001) — translate control requirements into engineering practices and assist with audit evidence collection
    • Use AI tooling actively in your own workflow AI-assisted code review, threat modeling drafts, vulnerability research, and security artifact generation  and help shape how the rest of engineering uses AI safely

Job Requirements


Must-Haves


  • Experience: 3-6 years in application security, or security engineering
  • Education: Bachelor's degree in Computer Science, Information Security, or equivalent practical experience
  • Secure code review in at least one of: Python, Ruby, Go — can read code and reason about vulnerabilities, not rely on scanner output
  • OWASP Top 10 (Web and API) as root-cause patterns, not a memorized checklist — including SSRF, insecure deserialization, injection classes, and access-control flaws
  • Threat modeling: practical experience with STRIDE and data flow diagrams; can lead a session with a product team and produce actionable output
  • Auth and identity: working depth in session management, RBAC/ABAC models
  • CI/CD security automation: hands-on experience integrating SAST, SCA, and secret scanning into pipelines and tuning for actionable signal
  • Proactive and ownership-driven — does not wait to be told what to secure
  • Comfortable working cross-functionally with product engineers, platform engineers, and the wider team
  • Strong analytical and problem-solving abilities
  • Fluent in English, with strong written and verbal communication
  • Communication: clear written and verbal communication can explain a vulnerability to an engineer, a PM, or a VP

Strong Plus


We expect strong candidates to have some of these not all. The more, the better.


  • Mobile SDK security: OWASP Mobile Top 10 and MASVS/MASTG; Android (Kotlin) or iOS (Swift); experience with Frida, objection, or MobSF
  • AWS security service depth: SecurityHub, Inspector, GuardDuty, CloudTrail, CloudFront beyond IAM
  • Container and Kubernetes security fundamentals
  • Supply chain depth: SLSA framework, SBOMAI/LLM security: prompt injection mitigations, OWASP LLM Top 10, securing agentic architectures and tool-use boundaries
  • Familiarity with ISO 27001 or SOC 2.

Nice to Have


  • Terraform and policy-as-code: tfsec, Checkov, OPA/Conftest
  • Experience building or bootstrapping a security program
  • Bug bounty participation, published CVEs, or documented security research
  • Hands-on certifications: OSCP, OSWE, eMAPT
  • Incident response experience — triage, containment, root-cause analysis
  • Red teaming or purple teaming experience
This job post has been translated by AI and may contain minor differences or errors.
Apply on company site Email to Friend Complete Questionnaire
You’ve reached the maximum limit of 15 job alerts. To create a new alert, please delete an existing one first.
MANAGE
Job alert created for this search. You’ll receive updates when new jobs match.
Manage alerts
Are you sure you want to unapply?

You'll no longer be considered for this role and your application will be removed from the employer's inbox.