ButterflyMX is on a mission to empower people to open and manage doors & gates from a smartphone. They are seeking a Senior Security Engineer to drive application security across the software development lifecycle, focusing on threat modeling, secure code review, and vulnerability management.
Responsibilities:
- Lead application security reviews, threat modeling sessions, and secure code review for new features and significant product changes
- Operate and continuously improve SAST, DAST, and SCA tooling; triage and prioritize findings in partnership with engineering teams to harden the codebase
- Plan and execute internal penetration tests against web applications, APIs, and mobile clients; coordinate and support third-party assessments
- Own the vulnerability management lifecycle from discovery, prioritization, remediation tracking, through to validation
- Develop and maintain secure coding standards, developer security guidance, and training materials
- Integrate security tooling into CI/CD pipelines and champion shift-left security practices across the SDLC
- Investigate security incidents and bug bounty submissions; provide root cause analysis and remediation recommendations
- Partner with Product and Engineering on security architecture decisions for new product capabilities
- Stay current on emerging threats, CVEs, and attack techniques relevant to our technology stack and support continuous program improvement
Requirements:
- 5+ years of experience in application security, with hands-on proficiency in both secure development lifecycle practices and offensive testing
- Strong understanding of web application and API security fundamentals (OWASP, MITRE, CIS, API-specific attack surfaces)
- Experience operating SAST/DAST/SCA ASPM tools
- Fluency in scripting or development languages (Python, JavaScript, Go, Ruby, or similar) sufficient to review code and write internal tooling
- Experience designing and executing penetration tests against modern web and mobile applications
- Familiarity with cloud security (AWS preferred, some GCP and OVH) and container/Kubernetes security
- Comfortable in a regulated environment (e.g., SOC 2 or similar)
- Excellent written and verbal communication skills; able to translate technical risk to non-technical stakeholders
- Proven experience with leveraging AI tools in both professional and personal settings. ButterflyMX is an AI-forward organization and the ability to optimize efficiency using AI is crucial in every role. Can you use LLMs to build a threat model (bootstrap from the code, docs, and vulnerability history, entry points, git history, etc. and leverage Shostack's four questions); to build an isolation layer to run agents safely and verify exploitability matched to the threat model; to partition the search space and leverage SAST scanners or fuzzers; to filter out non-exploitable findings and triage for patch priority; and, to rate the severity based on reachability, attacker control, preconditions, authentication, read vs write, and blast radius
- Relevant certifications a plus: OSCP, GWAPT, GPEN, CEH, or equivalent