Qualia is a leading B2B real estate technology company that aims to simplify the home buying and selling process. They are seeking a Senior Application Security Engineer to lead efforts in identifying and mitigating security vulnerabilities across their products and infrastructure while collaborating with various engineering teams to enhance security practices.
Responsibilities:
- Run offensive assessments against Qualia's applications and infrastructure: manual penetration testing, exploit development, authenticated web/API testing, and adversarial review of new designs before they ship
- Lead threat modeling and secure design review for the highest-risk initiatives across the company, and mentor engineers to do the same for their own work
- Own and evolve our AppSec tooling stack end-to-end - SAST, DAST, SCA, secret scanning, IaC scanning, and the CI/CD gates that tie them together. Build the custom rules, detections, and automation that generic tooling doesn't give us
- Harden our cloud posture: review AWS configurations, IAM policies, Kubernetes/EKS workloads, and networking boundaries; build automation and guardrails that prevent the same class of issue from recurring
- Reduce toil for the team - write the tools, scripts, and integrations that turn a day of triage into a few minutes
- Partner with Infrastructure and Platform on detection engineering, incident response support, and cross-cutting programs (secrets management, supply chain, runtime security)
- Set the technical bar for the AppSec team: raise the quality of reviews, establish patterns others can reuse, and mentor peers across seniority levels
- Represent AppSec in architectural reviews, vendor evaluations, and compliance efforts
Requirements:
- 8+ years of hands-on experience in application security, offensive security, or security engineering, with demonstrable depth in at least two of: offensive testing, security tooling/automation, and cloud/infra security
- Strong offensive skills - you can manually exploit real web and API vulnerabilities beyond what a scanner will find, and you can teach others to do the same
- Deep familiarity with building and operating security tooling in a modern engineering org: SAST/DAST/SCA pipelines, custom detection rules, secrets scanning, and CI/CD security gates. You've written tooling, not just configured it
- Production experience with AWS (IAM, VPC, networking, data services), containerized workloads (Docker, Kubernetes/EKS), and infrastructure-as-code (Terraform or similar)
- Comfort reading, reviewing, and contributing code in at least one language common to modern web stacks (Python, Go, Ruby, TypeScript, or similar)
- Clear, direct communication style. You can make a sharp technical argument to senior engineers, translate risk into business terms for leadership, and write a bug report an engineer actually wants to fix
- Strong partnership instincts - you get leverage by making other teams faster, not by blocking them
- Experience in fintech, proptech, healthcare, or another regulated industry where data sensitivity is high
- Background meaningfully contributing to a bug bounty program
- Experience with identity and access systems (OIDC, SAML, federation, fine-grained authorization)
- Detection engineering, DFIR, or red-team experience
- Open source contributions to security tooling, published research, or CVE credits
- Relevant certifications (OSCP, OSWE, GWAPT, GPEN, etc.) - valued but not required