Staff Application Security Engineer

It’s rare that a new asset class is born. Nevertheless, we’re witnessing exactly that with the rise of crypto. Over just the last few years, since Bitwise was founded, crypto has evolved from an embryonic $50B market to a growing $3T+ juggernaut. At Bitwise, we believe that crypto has reached a turning point, and is headed north of $10T over the next few years.This is an exciting moment for Bitwise as a firm. For eight years, we have established a track record of excellence managing a broad suite of index and active solutions across ETFs, separately managed accounts, private funds, institutional staking, and hedge fund strategies. This year, we crossed $15B in client assets and are growing quickly. Thousands of financial advisors, family offices, and institutional investors partner with Bitwise to understand and access the opportunities in crypto. We are known for providing unparalleled client support through expert research and commentary, a nationwide client team of crypto specialists, and deep access to the crypto ecosystem.Currently, Bitwise is a close-knit team of 100+ global professionals. Think of us as a mix of an asset manager and a tech start-up. We’re backed by some of the most accomplished investors in venture capital and veterans of the financial services world. We love working together, we love what we do, and we’re excited about what’s ahead.About The RoleOur engineering organization is growing, and with that growth comes an expanding application and infrastructure footprint that requires dedicated application security ownership. This role exists to build that function from the ground up.As our first dedicated Staff Application Security Engineer, you will own the design and implementation of our application security program, from SAST and DAST tooling to secure SDLC practices, threat modeling, dependency security, and penetration testing coordination. You will work directly with engineering teams across a cloud-based environment securing both customer-facing products and internal systems.You will be reporting directly to the Head of Security and will have the autonomy and organizational support to build an application security program that is practical, scalable, and aligned to the risk profile of a company operating in the digital asset space.Primary ResponsibilitiesStatic & Dynamic Application Security Testing (SAST / DAST)Own the full implementation of SAST tooling across all codebases and CI/CD pipelinesOwn the full implementation of DAST tooling across all customer-facing and internal applicationsEstablish baseline findings, prioritize remediation, and work directly with engineering to resolve issuesMaintain and tune tooling over time as the codebase and attack surface evolveSecure SDLC & Code IntegrityDefine and enforce a secure software development lifecycle across engineering teamsEstablish secure release processes including code signing and build integrity verificationDevelop and maintain security standards, guidelines, and secure coding practicesIntegrate security checkpoints throughout the development pipeline without creating unnecessary friction for engineeringThreat ModelingLead threat modeling exercises for new infrastructure designs, features, and system changesEnsure all customer-facing and internal applications are fully documented and threat modeledMaintain a living inventory of the company's attack surface and ensure it reflects current architectureApply blockchain-specific threat modeling to smart contracts, bridge infrastructure, and custody-adjacent systems, including multi-sig signing flows and on-chain/off-chain trust boundariesDependency & Supply Chain SecurityImplement and manage dependency scanning across all projectsEnforce version pinning policies to reduce exposure from uncontrolled dependency updatesDeploy and manage supply chain security tooling (e.g., Socket.dev or equivalent) to monitor for malicious or compromised dependenciesEstablish a process for ongoing dependency review and remediationPenetration TestingDefine and maintain a penetration testing program covering all surface areas — applications, APIs, internal tooling, and infrastructureScope, schedule, and manage third-party penetration testing engagementsTrack findings through to remediation and validate fixesSecrets ManagementDesign and implement a secrets management program across cloud infrastructure and engineering workflowsEliminate hardcoded credentials and secrets from codebasesEstablish policies and tooling for secrets rotation, access control, and audit loggingFuzzing & Attack Surface CoverageImplement fuzz testing across applicable components, particularly APIs and input-handling logicEnsure coverage gaps in the attack surface are identified, documented, and addressed systematically Role Requirements7+ years of experience in application security or a closely related disciplineDemonstrated experience building or significantly maturing an application security programDeep hands-on experience with SAST and DAST tooling implementation and managementStrong knowledge of secure SDLC practices and CI/CD pipeline security integrationExperience with dependency scanning and software supply chain securityProficiency in threat modeling methodologies (STRIDE, PASTA, or equivalent)Experience managing or coordinating third-party penetration testing engagementsSolid understanding of secrets management solutions (e.g., HashiCorp Vault, AWS Secrets Manager, or equivalent)Strong written and verbal communication skills — able to document findings and present risk clearly to both technical and non-technical audiences Demonstrated experience securing blockchain-connected systems, including smart contract security review, multi-sig wallet architectures, and cross-chain bridge protocolsWorking familiarity with common DeFi attack surfacesWhat We OfferCompensation: $185,000 to $260,000 + EquityEquity compensation as a component of all offersHealth insurance, including dental and vision plansHealth, Dependent Care and Commuter Flexible Spending AccountsPaid Parental LeaveLife insurance; short- and long-term disability plansCompany-funded 401(k) plan, no matching required Unlimited PTO10 paid company-wide holidaysCompany-wide winter break for most roles Office spaces in San Francisco, New York, and LondonMeals and snacks provided in officePaid company cell phone or stipendBitwise “Buddy” Program (30-day new-hire success program)Annual anniversary giftsCompany-wide events including annual holiday partyInternal Women of Bitwise (WOB) group with fun events Our ValuesAt Bitwise, we believe that our success is a direct reflection of the people who power it. Our work is guided by a core set of values that define how we collaborate, innovate, and serve our clients. We don’t just hire for skill; we hire for a shared commitment to the principles below.Create 'a ha' momentsMove fast, with informed rationaleAsk "What would the client want?"Show gratitudeYour Interview ProcessOur interview process ensures the best fit for both you and Bitwise, and we strive to make each step valuable, insightful, and efficient.Recruiter InterviewHiring Manager InterviewWork SampleMeeting the TeamExecutive/Founders InterviewReferencesOffer!Bitwise is an equal opportunity employer. We are committed to building a team of people with a variety of backgrounds, perspectives, and skills. It is the policy of Bitwise to ensure equal opportunity. All candidates are considered without regard to race, color, religion, national origin, age, sex, sexual orientation, gender identity, marital status, ancestry, physical or mental disability, veteran status, or any other legally protected characteristics.Pursuant to the San Francisco Fair Chance Ordinance, we will consider for employment qualified applicants with arrest and conviction records.Please note that we do not sponsor visas for persons without work authorization in the United States. This role is for full-time employees only (no B2B or contractors). Thank you!The Pay Range For This Role Is185,000 - 260,000 USD per year(Remote)185,000 - 260,000 USD per year(NYC Office)185,000 - 260,000 USD per year(SF Office)185,000 - 260,000 USD per year(London Office)