Product & Application Security Engineer

Please Note: This is a Utah-based hybrid position which will require some regular in-office days each week. Additionally, employment with BambooHR is contingent on passing both a background and credit check. 

Essential Job Duties

We are expanding our security team and seeking a highly experienced and strategic Application Security Engineer with a deep understanding of threat modeling, risk assessment, and cross-functional collaboration. In this critical role, you will be responsible for proactively identifying and mitigating security risks by conducting thorough threat modeling, aligning security efforts with business objectives, and ensuring our platform meets the highest standards of security and privacy, particularly for a multi-tenant SaaS environment.

You will:

• Authentication & Authorization Expertise: Provide deep expertise and guidance on secure authentication mechanisms, session management, and complex access control models relevant to a multi-tenant SaaS platform.
• Product Security Collaboration: Partner closely with product managers and engineering teams to embed security requirements early in the product development lifecycle, balancing user experience (UX) with robust security.
• SaaS-Specific Security: Address security challenges unique to a SaaS environment, including multi-tenancy isolation, secure API design principles, prevention of horizontal privilege escalation, and secure data handling.
• API Security Testing: Conduct hands-on security testing of APIs using various tools (e.g., Burp Suite, Postman, custom scripts) to identify vulnerabilities and ensure secure communication and data exchange.
• Secure Development Lifecycle (SDLC): Collaborate with engineering and product teams to integrate security requirements and best practices throughout the entire SDLC, from design to deployment.
• Code & Design Reviews: Conduct thorough security reviews of application architecture, design documents, and source code to identify and mitigate potential vulnerabilities.
• SAST/DAST Automation: Design, implement, and maintain the integration of Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) tools into our CI/CD pipelines, and runtime protection (RASP) for web apps.
• Vulnerability Management: Develop, automate, and enhance our vulnerability management processes, including triage, prioritization, and tracking of security findings across applications.
• Developer Enablement: Provide guidance, training, and tools to developers on secure coding principles, common vulnerabilities, and secure design patterns.
• Security Consultation: Provide expert security consultation and guidance to development teams on secure coding practices, architectural patterns, and vulnerability remediation.
• Continuous Improvement: Stay current with the latest security threats, industry best practices, and emerging technologies, advocating for their adoption to enhance our platform's security posture.

What You Need to Get the Job Done

• Bachelor's degree in Computer Science, Information Security, or a related field, or equivalent practical experience.
• Minimum 3 years of specific, hands-on experience in Application and Product Security.
• Automation and AI: Drive automation initiatives for security tasks, leveraging scripting and orchestration to streamline workflows. 
• Deep understanding of web application and API security principles, including authentication, authorization (OAuth, OpenID Connect, JWT), session management, and access control models.
• Proficiency in IaC (Terraform, CloudFormation) and CI/CD pipeline security (e.g., GitHub Actions, CircleCI integrations).
• Proven experience conducting design and code reviews for web applications and APIs.
• Demonstrable experience deploying, configuring, and maintaining SAST and DAST tools within CI/CD pipelines (e.g., Jenkins, GitLab CI, Azure DevOps, CircleCI).
• Strong understanding of common web application vulnerabilities (OWASP Top 10) and their exploitation/mitigation.
• Experience with scripting languages (e.g., Python, Bash) for automation.
• Demonstrated ability to translate technical security risks into clear, concise business terms for diverse audiences, including legal, privacy, and product stakeholders.
• Experience collaborating directly with product teams to integrate security into product roadmaps and balance security with user experience.
• Strong knowledge of common web application vulnerabilities (OWASP Top 10).
• Excellent communication, interpersonal, and presentation skills.
• AI at BambooHR: At BambooHR, we believe in leveraging cutting-edge technology to empower people and transform HR. We're actively integrating AI into our solutions and workflows to enhance efficiency and drive innovation. To that end, we're looking to our existing team members and future hires to share this forward-thinking mindset: individuals who are curious about AI's potential, eager to learn and adapt, and ready to explore how intelligent tools can elevate their work, along with BambooHR's impact on setting people free to do great work. Join us in reimagining the future of HR! 

What Will Make Us REALLY Love You 

• Relevant security certifications (e.g., CSSLP, GCSA, CISSP).
• Experience with privacy frameworks and regulations (e.g., GDPR, CCPA).
• Familiarity with cloud security architecture (AWS, Azure, GCP).
• Experience with security champion programs.

What You'll Love About Us

• A Great Company Culture that has been recognized by multiple organizations like Inc, and Salt Lake Tribune
• Comprehensive health, life, and disability insurance 
• Generous leave policies that include 4 weeks of vacation, 12 company holidays, parental leave, and volunteer time off so you can enjoy quality of life
• 401k plans with up to 6% company match
• $2000 Paid-Paid Vacation bonus
• EAP through Headspace
• Check out all our benefits that benefit you 

About Us

At BambooHR, we're building something different: we're building a people intelligence platform that transforms HR and sets people free to do great work! We're a proven market leader driving innovation while building lasting success through thoughtful, sustainable growth. Here, you'll find a place that champions growth: both professional and personal, both individual and collective. 

We invest in potential, giving you the space to stretch your capabilities and turn good ideas into reality while providing the safety net of a supportive, values-driven culture. Our approach combines meaningful work with meaningful lives, offering competitive benefits, professional development, and the flexibility to thrive both in and outside the office. 

What sets us apart isn't just what we do, but how we do it: with openness, integrity, and a shared commitment to doing the right thing. Join us in creating HR software that makes work better for everyone, while we make work better for you.

BambooHR is committed to the full inclusion of all qualified individuals and will ensure that persons with disabilities are provided reasonable accommodations throughout the hiring process.  If you would like to request accommodations, please let your recruiter know.

BambooHR is An Equal Opportunity Employer--M/F/D/V
Because our team members are trusted to handle sensitive information, we require all candidates that receive and accept employment offers to complete a background check before being hired.

For information on California Privacy Policy, click here.

Our process utilizes AI as an assistant to efficiently process and analyze candidate data. Recruiters and hiring managers maintain full oversight and accountability, ensuring that all final selection and rejection decisions are human-made and based solely on objective job qualifications. Please see our General Privacy Notice and California Privacy Notice for more details.