Key skills
Application SecuritySecurity Architecture ReviewsThreat ModelingJavaPythonRubySecure Coding StandardsAPI SecuritySASTDASTSCACI/CD SecuritySecrets ManagementCloud-native SystemsDistributed SystemsSecurity CertificationsAIMLGraphQLAWSSDLCCI/CDLeadershipMentoringCollaboration
About this role
Upstart is a leading AI lending marketplace focused on reducing the cost and complexity of borrowing for all Americans. The Principal Application Security Engineer will lead the application security strategy, ensuring the safety of core product platforms and managing threats through collaboration and automation.
Responsibilities:
- Define and drive Upstart’s application security strategy, aligning secure-by-design principles with business priorities, regulatory expectations, and our AI-driven product roadmap
- Lead cross-functional security architecture reviews for critical initiatives, influencing engineering, platform, data, and infrastructure decisions to reduce systemic risk early in the SDLC
- Establish and scale a robust threat modeling program for high-risk systems, including customer-facing applications, lending workflows, and ML/AI pipelines, translating findings into durable engineering standards and controls
- Design and standardize application security guardrails across the SDLC, including secure coding practices, automated testing (SAST/DAST/SCA), CI/CD protections, and secrets management
- Partner with Infrastructure and Cloud teams to strengthen the security posture of cloud-native and distributed systems, ensuring defense-in-depth across application and infrastructure layers
- Identify and reduce internal and external attack surface through automation and platform-level solutions, prioritizing long-term risk reduction over point-in-time remediation
- Serve as a senior technical authority during high-severity incidents, driving root cause analysis and durable architectural improvements
- Elevate security maturity across the organization by mentoring engineers, influencing leadership through clear risk metrics, and fostering a culture where security enables innovation
Requirements:
- 9+ years of experience in security engineering, with at least 5 years focused on application security
- Demonstrated experience leading security architecture reviews and threat modeling for complex, customer-facing production systems
- Experience in Java, Python or Ruby development
- Experience designing and implementing application security controls across the SDLC, including secure coding standards, API Security, SAST/DAST/SCA, CI/CD security, and secrets management
- Demonstrable track record as an influential leader, delivering security solutions with multiple stakeholder groups
- Experience managing multiple and simultaneous, significant information security initiatives and programs
- Experience developing code and building services to enhance unique security operational needs
- Experience with advanced threat modeling techniques and risk assessment
- 10+ years of experience spanning across multiple security and engineering domains in a cloud-native and/or distributed systems environment
- Experience building or scaling an application security program, including defining metrics, maturity models, and risk-based prioritization frameworks
- Familiarity with security considerations in modern frontend frameworks, APIs (REST/GraphQL), and microservices architectures
- Experience partnering with Legal, Risk, Compliance, and Audit teams to operationalize security controls in regulated environments
- Security certifications such as CISSP, CCSP, AWS Security Specialty, or equivalent practical expertise