Key skills
Application SecurityProduct SecurityDevSecOpsSoftware EngineeringAWS SecurityIAMNetworking SecurityContainer SecurityKubernetes SecurityInfrastructure as CodeTerraformAppSec ToolingSASTDASTSCASecrets ScanningThreat ModelingSAML 2.0OpenID ConnectIdentityAccess ManagementSession ManagementAuthorization DesignSecurity Incident ResponseISO 27001SOC 2Influence without authorityGoAILLMAWSKubernetesSAMLSSOCI/CDPenetration Testing
About this role
UniUni is a late-stage last-mile logistics company focused on moving parcels across the United States and Canada. They are seeking a Staff Application Security Engineer to lead product and platform security, ensuring secure software development and embedding security into engineering processes.
Responsibilities:
- Lead threat modeling on new and existing services, focusing on the systems where the risk is real and the architecture is in motion
- Run our secure code review program, including the design of review playbooks, the hardest reviews yourself, and coaching engineers to catch issues earlier
- Operate and tune our AppSec tooling stack across SAST, DAST, SCA, and secrets scanning, keeping signal high and noise low
- Own the third-party penetration testing program in partnership with the ISO, from scoping through findings triage and fix verification
- Drive standards for authentication, authorization, session management, and API security across our products, and engineer the hard parts yourself when needed
- Embed security controls into our CI/CD pipelines so the secure path is the default path: pre-commit checks, build-time scans, signed artifacts, and policy-as-code gates
- Harden our cloud workloads on AWS, including container and Kubernetes security, secrets management, and runtime protections
- Codify infrastructure security baselines as IaC and policy (e.g., OPA/Conftest, AWS SCPs, Terraform guardrails) and own the rollout across the platform
- Partner with the platform team on identity-aware access to infrastructure, including non-human identities, short-lived credentials, and privileged access patterns
- Engineer enterprise SSO (SAML 2.0 and OpenID Connect) into customer-facing products in support of contractual security commitments to enterprise shippers
- Set the technical direction for API security, including authentication, authorization, rate limiting, abuse prevention, and tenant isolation
- Drive secure-by-default patterns for data handling in our products, including encryption, key management, and access controls for customer and operational data
- Be the senior technical voice in customer security reviews when the questions go past what a questionnaire can answer
- Triage and lead response to application and platform security incidents, including root cause analysis and durable fixes
- Mentor engineers on secure design and secure coding, and raise the security fluency of the engineering organization through training, office hours, and example
- Contribute to ISO 27001 and SOC 2 evidence, control design, and audit readiness for the controls you operate
Requirements:
- 8+ building and securing production software, with the last several focused on application security, product security, or DevSecOps as your primary discipline
- Deep, demonstrable software engineering ability. You read code fluently across multiple languages, you write production-quality code, and engineers respect your technical judgment
- Hands-on experience securing AWS workloads at scale, including IAM, networking, container and Kubernetes security, and IaC (Terraform or equivalent)
- Working command of modern AppSec tooling (SAST, DAST, SCA, secrets scanning) and how to deploy it in a CI/CD pipeline without grinding delivery to a halt
- Strong threat modeling skills and a track record of turning models into shipped controls
- Practical experience implementing SAML 2.0 and OpenID Connect, and a clear mental model of identity, session, and authorization design
- Experience leading the technical response to security incidents in production environments
- Ability to influence engineers and engineering leaders without authority. You explain risk in terms that engineers act on, and you partner rather than police
- Experience in logistics, supply chain, marketplaces, or other high-volume transactional businesses
- Background contributing to or maintaining open source security tooling
- Prior experience supporting ISO 27001 or SOC 2 control design from the engineering side
- Offensive security background (CTFs, bug bounty, red team) that informs how you think about defense
- Experience hardening LLM-integrated or AI-powered features in production