Senior Application Security Engineer

You will be the first, dedicated Application Security Engineer at thredUP; you’ll have the opportunity to design and build security tools, platforms and processes from scratch. You will help to make security a focal point of our applications by setting security guidelines for engineering teams, implementing security frameworks and enabling security controls throughout the software development lifecycle.  thredUP leverages a modern technology infrastructure (AWS, Kubernetes, Istio) and a variety of application stacks (Ruby/Rails, Javascript/NodeJS, Java/Spring, Kotlin/Android, Swift/IOS, Python, etc.). We utilize Continuous Delivery pipelines to deliver hundreds of changes per day. The current security and observability tool-set includes Datadog, Cloudflare, Sift, Auditbeat, Flan, Clair-scanner, Ansible-hardening, Kube-bench, Hackerone and more. We are always looking to evaluate new technologies and vendors and have excellent tech teams ready to support security efforts. Are you a DevSecOps practitioner and evangelist? Are you passionate about cloud-native technologies? If you thrive in a fast-paced environment and want to make an impact on day one, this could be the perfect role.

In This Role You’ll Get To:

Architect and implement security solutions, libraries, and frameworks that other teams can leverage to implement security practices
Provide security guidance and mentorship to the engineering teams
Integrate security controls into CI/CD pipelines
Analyze and enhance observability into the security of infrastructure, platform, and features by building tools and tests
Conduct regular security assessments
Proactively identify and implement ways to detect and mitigate fraudulent activity, thwart would-be attackers and curtail malicious bots traffic
Review and improve internal authentication & authorization systems
Conduct security investigations and forensics
Manage and optimize our Fraud Detection and Account Takeover Prevention platforms
Proactively research and evaluate security vendors, platforms and tools

What We’re Looking For:

5+ years of software development experience
3+ years experience working in Information Security teams, conducting Information Security consulting or developing tools in security domain
Experience in web, mobile and cloud security engineering
Skilled in log analysis, penetration testing and system hardening
Understanding of common cryptographic vulnerabilities
Knowledge of security controls across all security domains such as access management, encryption methods, vulnerability management, network security, etc.
Ability to build and maintain reports, dashboards and metrics for different levels of audience
A good understanding of OWASP/NIST Security standards
Experience in cloud environments (AWS preferred) and Linux containers and orchestration systems (Kubernetes preferred)
Experience developing and managing pragmatic and lightweight processes and procedures
Track record of influencing positive outcomes

What We Offer:
– 4-day work week with Fridays off
– Competitive salary (we leverage market data) + stock
– Employee stock purchase plan
– Flexible PTO (take the time you need) + 13 company holidays (US offices)
– Paid Sabbatical after 3 years of full time employment
– Generous paid parental leave for new mothers and fathers
– Medical, dental, vision, 401k, life and disability insurance offered
– We live by our Core Values of Transparency, SpeakingUP, Thinking Big, Infinite Learning, Influencing Outcomes & Seeking the Truth
– Voted “50 Most Innovative Companies of 2020”
– RaaS – Finalist in Fast Company’s World Changing Ideas Awards 2021
– 2021 FORTUNE Change the World Finalist
Scroll to Top