Senior Principal Security Engineer – Cloud & Application Security

Team: Software Engineering

Location: San Jose, CA

Commitment: Full-Time

Workplace Type: hybrid

WHAT YOU WILL BE DOING

 

Lead SAST, SCA, and secret detection initiatives across Java, Spring Boot, Grails, JVM-based, and Python application and IaC stacks

Triage, prioritize, and remediate vulnerabilities — including writing code fixes

Define and enforce container security standards for Docker images, base image hardening, and runtime policies

Secure Kubernetes clusters on AWS EKS and/or Azure AKS — RBAC, network policies, pod security standards, admission controllers

Experience with infrastructure-as-code security scanning — Terraform, CloudFormation, and Helm chart security review and hardening

Conduct threat modeling on new features and requirements provided by product teams -  identify attack surfaces, data flow risks, and trust boundaries before code is written (STRIDE, DREAD, or equivalent frameworks)

Conduct targeted penetration testing and vulnerability assessments on applications and infrastructure

Assess application security needs and recommend WAF, DDoS protection, and rate limiting strategies (e.g., Cloudflare, AWS WAF/Shield, Azure Front Door)

Collaborate with tiger teams during incident response to analyze, contain, and remediate critical and zero-day vulnerabilities

Evangelize OWASP Top 10 awareness and secure coding practices across engineering teams through structured training programs, lunch-and-learns, and hands-on workshops

Administer a security training platform — curate learning paths, track completion metrics, and ensure all engineers complete baseline secure coding training

Evaluate, integrate and mature security tooling into CI/CD pipelines

Experience building internal security tooling or custom SAST/SCA rules

    

WHAT YOU BRING

10+ years in software engineering or security engineering, with 5+ years focused on application and infrastructure security

AI first approach to assess, design, triage and fix issues. Produce shareable AI artifacts for others to scale fixing issues

Deep expertise in static analysis (SAST), software composition analysis (SCA), and secret scanning across JVM ecosystems (Java, Spring Boot, Grails) and Python

Strong hands-on coding ability — you can read, write, and fix code in Java, Python, and Groovy

Production experience securing Kubernetes workloads on AWS EKS or Azure AKS

Solid understanding of container security — image scanning, runtime protection, least-privilege configurations

Strong knowledge of end-to-end encryption — TLS/mTLS implementation, certificate management, PKI, key rotation, and secrets management (HashiCorp Vault, AWS KMS,Azure Key Vault)

Proven experience conducting threat modeling on product requirements — ability to partner with product teams early in the SDLC to identify and mitigate risks before implementation

Working knowledge of network security: ingress/egress controls, TLS termination, mTLS, VPC/VNET segmentation

Practical experience with penetration testing tools and methodologies (Burp Suite, OWASP ZAP, etc.)

Strong command of OWASP Top 10 vulnerabilities and their mitigations

Demonstrated experience evangelizing security culture — delivering training, mentoring developers, and driving adoption of secure coding practices using security training platforms

Experience responding to critical security incidents and zero-day disclosures in fast-paced environments

NICE TO HAVE

Database security experience — access controls, query injection prevention, audit logging, encryption at the storage layer (PostgreSQL, MySQL, Oracle, Elasticsearch)

Familiarity with service mesh security (Istio, Linkerd)

Design and review network security controls including ingress/egress traffic policies, service mesh configurations, and firewall rules

Implement and enforce end-to-end encryption using TLS and mTLS across services — certificate lifecycle management, trust chain validation, and zero-trust network architecture