Key skills
Application SecuritySecure Coding PracticesThreat ModelingVulnerability ClassesOWASP Top 10Secure Code ReviewsArchitecture ReviewsSecurity DesignWeb Application Security TestingBurp SuiteCloud SecurityAWSPenetration TestingDevSecOps ToolingSemgrepGitHub Advanced SecurityTrivyGrypeZero Trust ArchitectureSecret ManagementAuthentication ServicesSecurity Logging FrameworksWeb Application FirewallWAF TuningAI SecurityCloud Provider SecurityAWS Certified Security - SpecialtyOSWAOSWEOSCPBSCPeWTPGWAPTCASE JavaJavaScriptTypeScriptPythonJavaGoAIAzureGCPGoogle CloudGitHubLeadershipOWASPZero TrustWAFFirewall
About this role
Workiva is a company focused on enhancing security across its applications and infrastructure. The Staff Product & Application Security Engineer will partner with product and engineering teams to ensure application security, assess vulnerabilities, and provide guidance on secure design practices.
Responsibilities:
- Serves as a technical security lead and domain expert to executive and engineering leadership for large, cross-organizational initiatives
- Leads the application of security techniques threat modeling and secure design practices to protect applications cloud infrastructure and product environments
- Defines, champions, and drives the adoption of organization-wide security standards, best practices, and foundational architecture patterns
- Develops and implements objective, quantifiable metrics to measure the effectiveness and maturity of Workiva’s application security program, reporting progress to executive stakeholders
- Resolves the most ambiguous, high-impact, and systemic security challenges across the entire platform, often requiring changes to established engineering processes
- Proactively identifies systemic security risks across products services and infrastructure
- Designs and drives effective long term security solutions and remediation strategies across diverse product areas
- Anticipates emerging industry security trends, regulatory changes, and threat landscapes, translating them into proactive, preventative technical strategies
- Drives the formal risk acceptance or mitigation processes for critical, high-severity vulnerabilities that carry significant compliance or business risk
- Drives broad, lasting, and foundational security changes that significantly enhance Workiva’s overall security posture, customer trust, and global compliance
- Exercises ultimate technical judgment in defining company-wide security standards and directly influences major security investment decisions
- This role must ensure the company's product security controls meet the technical requirements for relevant compliance frameworks (e.g., SOC 2, ISO 27001, FedRAMP)
- Act as a lead security advisor to executive leadership (VP/CTO level) on platform security risks, strategic initiatives, and technical feasibility
- Regularly collaborates across product engineering platform and infrastructure teams to influence secure architecture and design decisions
- Engages with senior internal stakeholders and leads discussions with directors and senior directors on security topics
- Formally coaches and mentors other Senior and Staff Engineers on advanced security engineering, technical leadership, and driving complex, multi-team projects
- Defines and is fully accountable for the technical security roadmap and direction for major domains or engineering organizations without requiring external guidance
- Owns security assessments risk evaluations and remediation efforts from discovery through resolution
- Serves as a lead technical authority and security subject matter expert, representing the organization in cross-functional architecture and governance councils
Requirements:
- 6+ years of related experience with a Bachelor's degree or equivalent experience
- 3+ years of software development experience in at least one of the following languages: Java, Javascript/Typescript, Python, Go
- Deep knowledge of application security secure coding practices threat modeling and vulnerability classes including OWASP Top 10
- Proven experience leading secure code reviews architecture reviews and security design discussions
- Ability to communicate complex security concepts risks and recommendations to both technical and executive stakeholders
- Experience using web application security testing tools such as Burp Suite
- Strong understanding of cloud security concepts particularly in AWS based environments
- Hands on penetration testing experience across modern web applications
- Familiarity with DevSecOps tooling such as Semgrep GitHub Advanced Security Trivy Grype or similar
- Proven experience driving the adoption of large-scale security initiatives (e.g., implementing a global Zero Trust architecture, defining a company-wide secret management strategy)
- Proven experience designing, building, and operating production security services/systems (e.g., internal security libraries, secrets management systems, authentication services, centralized security logging frameworks) used by 10+ engineering teams
- Advanced web application penetration testing certifications such as OSWA OSWE OSCP BSCP eWTP GWAPT
- Secure code review or application security certifications such as CASE Java or OSWE
- Cloud security certifications such as AWS Certified Security - Specialty or Google Cloud Professional Cloud Security Engineer
- Web Application Firewall WAF tuning and optimization experience
- Experience securing or evaluating AI driven systems and workflows
- Expertise in at least one major cloud provider (AWS, GCP, or Azure) beyond a single product environment, covering cross-account security, networking, and governance design. AWS Strongly preferred