Senior Application Security Engineer

Back to jobsSenior Application Security EngineerUnited States of AmericaAt Qualia, we've built the leading B2B real estate technology that transforms the home buying and selling experience into a simple, secure, and enjoyable process. Our SMB and Enterprise products bring together users from across the real estate ecosystem---homebuyers and sellers, lenders, title and escrow agents, and real estate agents---onto a single shared digital closing platform, providing greater clarity and transparency to real estate transactions. Today, through our business customers across the country, millions of consumers use Qualia to close on homes every year.What You'll Work OnWe're hiring a Senior Application Security Engineer to join a small, high-leverage AppSec team. This is a deep-technical IC role with a staff-leaning scope: you'll set the technical direction and own delivery on how we find, fix, and prevent vulnerabilities across Qualia's products and cloud infrastructure, and you'll be the person other engineers want in the room when an architecture decision has a security dimension.You'll partner daily with product engineering, infrastructure, and platform teams, and you'll work closely alongside our existing AppSec engineers - raising the technical bar of the team while staying deeply hands-on with code, tooling, and adversarial testing. This is the right role for someone who is as comfortable writing a Burp extension or a Semgrep rule as they are pairing with a product engineer to land a fix.ResponsibilitiesRun offensive assessments against Qualia's applications and infrastructure: manual penetration testing, exploit development, authenticated web/API testing, and adversarial review of new designs before they shipLead threat modeling and secure design review for the highest-risk initiatives across the company, and mentor engineers to do the same for their own workOwn and evolve our AppSec tooling stack end-to-end - SAST, DAST, SCA, secret scanning, IaC scanning, and the CI/CD gates that tie them together. Build the custom rules, detections, and automation that generic tooling doesn't give usHarden our cloud posture: review AWS configurations, IAM policies, Kubernetes/EKS workloads, and networking boundaries; build automation and guardrails that prevent the same class of issue from recurringReduce toil for the team - write the tools, scripts, and integrations that turn a day of triage into a few minutesPartner with Infrastructure and Platform on detection engineering, incident response support, and cross-cutting programs (secrets management, supply chain, runtime security)Set the technical bar for the AppSec team: raise the quality of reviews, establish patterns others can reuse, and mentor peers across seniority levelsRepresent AppSec in architectural reviews, vendor evaluations, and compliance effortsYOUR BACKGROUND THAT LIKELY MAKES YOU A MATCH8+ years of hands-on experience in application security, offensive security, or security engineering, with demonstrable depth in at least two of: offensive testing, security tooling/automation, and cloud/infra securityStrong offensive skills - you can manually exploit real web and API vulnerabilities beyond what a scanner will find, and you can teach others to do the sameDeep familiarity with building and operating security tooling in a modern engineering org: SAST/DAST/SCA pipelines, custom detection rules, secrets scanning, and CI/CD security gates. You've written tooling, not just configured itProduction experience with AWS (IAM, VPC, networking, data services), containerized workloads (Docker, Kubernetes/EKS), and infrastructure-as-code (Terraform or similar)Comfort reading, reviewing, and contributing code in at least one language common to modern web stacks (Python, Go, Ruby, TypeScript, or similar)Clear, direct communication style. You can make a sharp technical argument to senior engineers, translate risk into business terms for leadership, and write a bug report an engineer actually wants to fixStrong partnership instincts - you get leverage by making other teams faster, not by blocking themNICE TO HAVEExperience in fintech, proptech, healthcare, or another regulated industry where data sensitivity is highBackground meaningfully contributing to a bug bounty programExperience with identity and access systems (OIDC, SAML, federation, fine-grained authorization)Detection engineering, DFIR, or red-team experienceOpen source contributions to security tooling, published research, or CVE creditsRelevant certifications (OSCP, OSWE, GWAPT, GPEN, etc.) - valued but not requiredWhile this role is remote work eligible, we have three office locations: San Francisco, California; Concord, New Hampshire; and Austin, Texas.This role has a base annual salary of $180,000-$210,000 plus a competitive equity and benefits package. (Salary to be determined by relevant experience, location, knowledge, and skills of the applicant, internal equity, and alignment with market data.)WHY QUALIAQualia is made up of incredibly bright, mission-driven coworkers who are passionate about using technology to solve real-world problems---and we're growing quickly. In order to continue building an engaging and dynamic organization, we're committed to giving everyone the support they need to do great work.Our benefits package is designed to allow our team members to be their best selves, both in and out of the workplace. In addition to comprehensive health plans, a 401k program, and commuter benefits, we prioritize family and personal well-being through professional development, parental leave, and a flexible time off policy. Qualia offers a robust online onboarding program to train new hires, biweekly all hands meetings, and a variety of internal virtual events to keep employees connected.We believe diverse perspectives and backgrounds are critical to building great technology, and our goal is to cultivate an environment where people feel equally valued and respected. Qualia is proud to be an equal-opportunity workplace, and we welcome applicants from all backgrounds regardless of race, color, ancestry, religion, gender identity or expression, sexual orientation, marital status, age, citizenship, socioeconomic status, disability, or veteran status.By submitting your application, you acknowledge and agree to the collection, processing, and use of your personal information as described in our Employee Data Privacy Notice.Create a Job AlertInterested in building your career at Qualia? Get future opportunities sent straight to your email.Apply for this jobindicates a required fieldFirst Name*Last Name*Email*PhoneCountry*Phone*Location (City)*Resume/CV*AttachEnter manuallyAccepted file types: pdf, doc, docx, txt, rtfCover LetterAttachEnter manuallyAccepted file types: pdf, doc, docx, txt, rtfAre you legally authorized to work in the U.S.?*Select...Will you now or in the future require visa sponsorship for employment?*Select...LinkedIn Profile*How did you hear about this job?Voluntary Self-IdentificationFor government reporting purposes, we ask candidates to respond to the below self-identification survey. Completion of the form is entirely voluntary. Whatever your decision, it will not be considered in the hiring process or thereafter. Any information that you do provide will be recorded and maintained in a confidential file.As set forth in Qualia’s Equal Employment Opportunity policy, we do not discriminate on the basis of any protected group status under any applicable law.GenderSelect...Are you Hispanic/Latino?Select...Race & Ethnicity DefinitionsIf You Believe You Belong To Any Of The Categories Of Protected Veterans Listed Below, Please Indicate By Making The Appropriate Selection. As a Government Contractor Subject To The Vietnam Era Veterans Readjustment Assistance Act (VEVRAA), We Request This Information In Order To Measure The Effectiveness Of The Outreach And Positive Recruitment Efforts We Undertake Pursuant To VEVRAA. Classification Of Protected Categories Is As FollowsA "disabled veteran" is one of the following: a veteran of the U.S. military, ground, naval or air service who is entitled to compensation (or who but for the receipt of military retired pay would be entitled to compensation) under laws administered by the Secretary of Veterans Affairs; or a person who was discharged or released from active duty because of a service-connected disability.A "recently separated veteran" means any veteran during the three-year period beginning on the date of such veteran's discharge or release from active duty in the U.S. military, ground, naval, or air service.An "active duty wartime or campaign badge veteran" means a veteran who served on active duty in the U.S. military, ground, naval or air service during a war, or in a campaign or expedition for which a campaign badge has been authorized under the laws administered by the Department of Defense.An "Armed forces service medal veteran" means a veteran who, while serving on active duty in the U.S. military, ground, naval or air service, participated in a United States military operation for which an Armed Forces service medal was awarded pursuant to Executive Order 12985.Veteran StatusSelect...Voluntary Self-Identification of DisabilityForm CC-305Page 1 of 1OMB Control Number 1250-0005Expires 04/30/2026Why are you being asked to complete this form?We are a federal contractor or subcontractor. The law requires us to provide equal employment opportunity to qualified people with disabilities. We have a goal of having at least 7% of our workers as people with disabilities. The law says we must measure our progress towards this goal. To do this, we must ask applicants and employees if they have a disability or have ever had one. People can become disabled, so we need to ask this question at least every five years.Completing this form is voluntary, and we hope that you will choose to do so. Your answer is confidential. No one who makes hiring decisions will see it. Your decision to complete the form and your answer will not harm you in any way. If you want to learn more about the law or this form, visit the U.S. Department of Labor’s Office of Federal Contract Compliance Programs (OFCCP) website at www.dol.gov/ofccp.How do you know if you have a disability?A Disability Is a Condition That Substantially Limits One Or More Of Your “major Life Activities.” If You Have Or Have Ever Had Such a Condition, You Are a Person With a Disability. Disabilities Include, But Are Not Limited ToAlcohol or other substance use disorder (not currently using drugs illegally)Autoimmune disorder, for example, lupus, fibromyalgia, rheumatoid arthritis, HIV/AIDSBlind or low visionCancer (past or present)Cardiovascular or heart diseaseCeliac diseaseCerebral palsyDeaf or serious difficulty hearingDiabetesDisfigurement, for example, disfigurement caused by burns, wounds, accidents, or congenital disordersEpilepsy or other seizure disorderGastrointestinal disorders, for example, Crohn's Disease, irritable bowel syndromeIntellectual or developmental disabilityMental health conditions, for example, depression, bipolar disorder, anxiety disorder, schizophrenia, PTSDMissing limbs or partially missing limbsMobility impairment, benefiting from the use of a wheelchair, scooter, walker, leg brace(s) and/or other supportsNervous system condition, for example, migraine headaches, Parkinson’s disease, multiple sclerosis (MS)Neurodivergence, for example, attention-deficit/hyperactivity disorder (ADHD), autism spectrum disorder, dyslexia, dyspraxia, other learning disabilitiesPartial or complete paralysis (any cause)Pulmonary or respiratory conditions, for example, tuberculosis, asthma, emphysemaShort stature (dwarfism)Traumatic brain injuryDisability StatusSelect...PUBLIC BURDEN STATEMENT: According to the Paperwork Reduction Act of 1995 no persons are required to respond to a collection of information unless such collection displays a valid OMB control number. This survey should take about 5 minutes to complete.