Senior Application Security Engineer

We are seeking a Senior Application Security Engineer to join our product security engineering team and help build a secure foundation for our products. You will play a critical role in identifying, mitigating, and preventing security issues across our codebase, architecture, and runtime environments, and further strengthen the secure software development lifecycle. This role requires a strong background in application security, deep technical expertise in secure coding practices, and a passion for secure software development in cutting-edge technologies including Web3, AI/LLMs, and decentralized platforms.

This is a hybrid-onsite position (onsite 3x per week), based out of our new office in the heart of San Francisco.

Responsibilities

• Perform in-depth security design and code reviews, particularly in Rust and web frontends, and extending to system security aspects. Identify potential vulnerabilities and design flaws.
• Design, implement, use, and maintain static and dynamic analysis tools and fuzz testing frameworks for continuous security validation.
• Lead threat modeling sessions and proactively shape the secure design of complex systems.
• Leverage knowledge of application security attack vectors and standards such as OWASP, CWE, and CAPEC to inform secure development.
• Champion secure-by-design practices and partner closely with engineering to embed security throughout the SDLC. Promote security best practices within DFINITY and the ICP community.
• Contribute to incident response coordination and third party vulnerability management.
• Contribute security expertise to systems that interact with Web3 technologies and decentralized architectures, identifying unique risks in blockchain-based applications.
  
  

Requirements

• 5+ years of experience in product or application security roles.
• Strong proficiency in Rust and familiarity with web frontends, especially from a secure software development and auditing perspective.
• Hands-on experience developing or integrating fuzz testing and dynamic analysis tools.
• Deep knowledge of application security fundamentals, including secure coding, common vulnerabilities, and attack surface minimization.
• Demonstrated ability to identify and remediate complex security design flaws.
• Exposure to blockchain, smart contract, or Web3 systems security concerns and risk models.
• Excellent communication and collaboration skills in cross-functional environments.

Preferred Qualifications

• Experience contributing to open source security tools or frameworks.
• Familiarity with blockchain protocol-level vulnerabilities or smart contract audits.
• Familiarity with or proficiency in systems security is a strong plus, such as:
• Experience with Trusted Execution Environments (TEEs) using AMD SEV-SNP
• Linux OS and process isolation security, including syscall filtering, SELinux, seccomp, sandboxing untrusted processes, kernel vulnerabilities
• Hypervisor and virtualization security, including QEMU, VM isolation, guest-to-host escapes, side-channel attacks, container security
• AI/LLM security expertise is a major plus — including understanding adversarial attacks, prompt injection, model data leakage, and safe deployment of deep learning models.
• Past work in environments with high-assurance security or regulated sectors is a bonus.

Base Salary Range:  $150,000 - $235,000/yr

This position can be considered across multiple levels. Total compensation at DFINITY consists of base salary + generous bonus and is determined based on multiple factors including job leveling, areas of expertise, educational background, geographic location and overall experience.  

In addition to the cash components of our offers, we have generous benefits including top tier medical, dental, and vision insurance; disability insurance; life insurance; 401(k); flexible PTO policy in addition to paid holidays.

About DFINITY and the Internet Computer: