Hiring AppSec Engineers: The Complete Guide

# Application Security Engineer

**Location:** San Francisco, CA (Hybrid) · **Employment Type:** Full-time · **Level:** Mid-Senior

## About [Company]

[Company] builds products used by 3M+ customers, processing sensitive data that requires our full attention to security. We're looking for an AppSec Engineer to help us ship secure code faster by embedding security into our development process from day one.

We're a team of 120 engineers shipping code daily. Our security team is 6 people—3 AppSec, 2 Infrastructure Security, and 1 Security Manager. We're Series B funded ($50M) and security is a board-level priority following our recent SOC 2 certification.

**Why join [Company]?**

- Shape security culture at a fast-growing company
- Work with engineers who care about security (not an uphill battle)
- Modern stack with room to implement best practices
- Competitive compensation with meaningful equity
- Direct impact on protecting millions of customers

## The Role

We're looking for an AppSec Engineer to partner with engineering teams and secure our applications from design through deployment. You'll conduct threat modeling, implement security testing automation, train developers, and build the tooling for secure development at scale.

The ideal candidate is a developer first and a security expert second. You understand the pressures engineering teams face and can integrate security without slowing down delivery. You're pragmatic—you know that perfect security doesn't exist, and you optimize for risk reduction.

## What You'll Work On

### First 30 Days
- Understand our codebase, architecture, and current security posture
- Meet with engineering leads across all teams
- Review existing security tooling and identify quick wins
- Ship your first security improvement

### First 90 Days
- Lead threat modeling sessions for 2-3 major features
- Reduce SAST false positives by 50%+
- Establish relationships as a trusted security partner
- Train engineering team on secure coding for your primary language

### First Year
- Scale AppSec through security champions program
- Achieve 80%+ coverage for critical applications
- Reduce mean time to remediation by 50%
- Build comprehensive security testing in CI/CD

## Responsibilities

**Security Reviews & Consulting (40%)**
- Lead threat modeling sessions for new features and architecture changes
- Perform secure code reviews for critical components
- Consult with engineering teams on security architecture decisions
- Review third-party integrations and vendor security

**Tooling & Automation (35%)**
- Implement and tune SAST, DAST, and SCA in CI/CD
- Reduce false positives to make tools usable
- Build custom security checks for business-specific risks
- Monitor and improve security testing coverage

**Training & Culture (25%)**
- Train developers on secure coding practices
- Build and run security champions program
- Create and maintain security documentation
- Triage vulnerabilities and guide remediation

## Required Skills and Qualifications

**Technical Skills**
- 3+ years in application security or software development with security focus
- Strong programming skills—we're primarily TypeScript/Node.js and Python, but language transfers
- Experience with security testing tools (SAST, DAST, SCA)—Semgrep, Snyk, or similar
- Deep understanding of OWASP Top 10 and common vulnerability classes
- Threat modeling experience (STRIDE, attack trees, or similar)
- CI/CD security integration experience

**Soft Skills**
- Developer empathy—you've been in their shoes
- Clear communication—you can explain risk to non-security engineers
- Pragmatic approach—you optimize for risk reduction, not perfection
- Collaborative mindset—security enables, not blocks

## Nice to Have

- Background as a software developer before security
- Penetration testing skills or bug bounty experience
- Cloud security experience (we're primarily AWS)
- Security certifications (OSWE, CSSLP, GWAPT)
- Experience building security champions programs

## Tech Stack

**Languages:** TypeScript/Node.js, Python, some Go
**Security Tools:** 
- SAST: Semgrep, CodeQL
- SCA: Snyk, Dependabot
- DAST: Burp Suite, custom scripts
- Secrets: GitLeaks, HashiCorp Vault
**CI/CD:** GitHub Actions, ArgoCD
**Cloud:** AWS (EKS, RDS, S3, Lambda)

## Compensation and Benefits

**Salary:** $150,000 - $200,000 (based on experience)
**Equity:** 0.04% - 0.15% (standard 4-year vesting with 1-year cliff)
**Bonus:** 10-15% annual target

**Benefits:**
- Health, dental, vision (100% covered for employee)
- 401(k) with 4% match
- Unlimited PTO (average taken: 4 weeks)
- $3,000/year for conferences and training
- Certification reimbursement
- Home office setup stipend

## Interview Process

1. **Recruiter Screen** (30 min) - Background and mutual fit
2. **Technical Screen** (60 min) - Security fundamentals and threat modeling
3. **Code Review Exercise** (90 min) - Review code for security vulnerabilities
4. **Onsite** (4 hours, can be virtual)
   - Technical Deep Dive (60 min) - Discuss the code review and your approach
   - Threat Modeling (60 min) - Collaborative threat modeling for a real scenario
   - Developer Collaboration (45 min) - How you work with engineering teams
   - Culture Fit (45 min) - Team fit and values alignment
5. **Offer** - Within 48 hours of final interview

We aim to complete the process in 2-3 weeks.