Key skills
Application SecuritySecure Software DesignPenetration TestingSecure Development LifecycleSecurity Tooling InitiativesThreat ModelingBug Bounty ProgramsMentoringCommunication SkillsContinuous LearningAISDLCCommunicationCollaboration
About this role
Webflow is building the world’s leading AI-native Digital Experience Platform as a remote-first company. They are seeking a Staff Application Security Engineer to enhance secure development practices and collaborate with the engineering team to secure their web application platform and ecosystem.
Responsibilities:
- Collaborate with the Webflow engineering team to secure Webflow’s web application platform and ecosystem
- Bring security best practices to the software development lifecycle
- Work as part of a team to champion security standards while balancing business strategies and requirements
- Support Webflow’s security current and future compliance frameworks
- Work to find security vulnerabilities through grey-box techniques, and propose solutions at the architecture and code level to mitigate findings
- Contribute code and architecture improvements to enable security within Webflow’s application for engineers
- Cross-train entry and mid-level application security engineers
Requirements:
- BA/BS degree or equivalent experience
- 7+ years of application security experience, including hands-on software development, and have operated as a technical authority in securing high-complexity, large-scale applications
- Deep expertise in secure software design, secure coding, and modern web application security, with a proven ability to identify security design flaws and complex business-logic vulnerabilities, and to drive risk-based remediation with engineering teams
- Regularly lead threat modeling efforts, conduct and oversee advanced penetration testing, and manage third-party pentests, ensuring findings are clearly documented, communicated, and remediated to completion
- Designed, implemented, and evolved software supply chain security programs, and have owned or led bug bounty programs and major security tooling initiatives, shaping strategy rather than acting solely as a contributor
- Implemented and improved Secure Development Lifecycle (SDLC) processes at scale, including planning, automation, and cross-org communication, influencing how multiple teams build and ship software securely
- Driven multi-quarter application security roadmaps and complex security programs, partnering with engineering, product, and platform teams to deliver durable security outcomes
- Led security initiatives within large-scale solutions, including designing and delivering security features directly into applications (e.g., authorization models, security controls, or admin-level protections) in close collaboration with engineering and partner orgs
- Experience using and building security solutions that leverage agentic AI, including applying AI coding agents to scale security reviews, detection, and automation responsibly
- Participated in and led response efforts for application security incidents, from triage and containment through remediation and post-incident improvements
- Actively mentor and elevate other application security engineers, and help foster strong security practices and judgment across engineering organizations
- Passionate about security, continuously learning, and able to clearly explain complex security concepts to technical and non-technical partners to drive alignment and action
- Stay curious and open to growth — actively building fluency in emerging technologies like AI to unlock creativity, accelerate progress, and amplify impact