Key skills
JavaScriptPythonJavaAWSGCPIAMOktaIdentity ManagementSSOSalesforceCommunicationCritical ThinkingCollaborationOWASPZero TrustWAF
About this role
Sunrun is the #1 home solar and battery company in America, dedicated to changing the way the world interacts with energy. The Application Security Engineer will play a crucial role in protecting the company's applications by driving the identification, assessment, and mitigation of security risks while collaborating with developers and IT teams to integrate security practices throughout the software development lifecycle.
Responsibilities:
- Threat Modeling & Security Design: Assess potential attack vectors and design defense-in-depth strategies that address gaps across infrastructure, 1st and 3rd party applications, and identity management
- Secure Software Development Life Cycle (SSDLC): Partner with application development teams to integrate security into every stage of the development lifecycle. Champion secure coding standards, conduct security code reviews, and provide expert guidance to minimize vulnerabilities before production
- Identity & Access Management (IAM): Design, implement, and manage identity security solutions across 1st and 3rd party applications. Showcase hands-on experience in implementing strategies like Zero Trust architecture and modern authentication standards like WebAuthn
- Implement & Manage Security Controls: Design, implement, and fine-tune application security controls like SAST/DAST vulnerability scanning andand standardizing secure coding practices. Establish and improve operational processes to ensure their continued effectiveness
- Guidance, Training & Compliance: Develop and maintain security policies and standards for both application and identity security. Provide ongoing training to developers to elevate secure coding practices
- Stakeholder Collaboration: Use strong critical thinking and communication skills to present complex technical concepts to business stakeholders, gain alignment, and independently drive security initiatives forward
Requirements:
- 7+ years of combined experience in application security and identity & access management (IAM), with a proven track record of supporting application development teams
- Deep knowledge of application security principles, secure coding practices, common vulnerabilities (e.g., OWASP Top 10), and zero-trust architecture
- Hands-on experience with security testing tools (SAST, DAST), Web Application Firewalls (WAF), and IAM platforms (e.g., Okta, AWS IAM)
- Proficiency in programming languages such as Java, Python, or JavaScript
- Strong familiarity with cloud environments (AWS, GCP) and their native security and identity controls
- Demonstrated expertise in threat modeling and designing defense-in-depth strategies for complex applications
- Solid understanding of modern identity standards and technologies, including MFA, SSO, and WebAuthn
- Excellent communication and collaboration skills, with the ability to articulate technical findings and security risks to diverse audiences
- Strong critical thinking and creative problem-solving skills, with the ability to analyze systems from an attacker's perspective and devise effective countermeasures
- Experience with Okta and Salesforce security principles and best practices
- Certifications (preferred): Certified Information Systems Security Professional (CISSP), Certified Application Security Engineer (CASE), or similar credentials