[Hiring] Senior Application Security Engineer @Onit

Role Description

Onit, Inc. is looking for an Application Security Engineer to help secure our SaaS applications, APIs, and emerging AI capabilities. This is a hands-on, high-impact role where you’ll work closely with engineering and product teams to design secure systems, identify vulnerabilities, and improve how we build software. You’ll play a key role in shaping our security practices as we scale.

Key Responsibilities

• Security Architecture & Design Reviews
  • Lead security reviews for application architecture and system design
  • Evaluate designs for:
    • Authentication & authorization models
    • Data access patterns
    • API exposure and trust boundaries
  • Provide clear, actionable guidance to engineering teams
  • Identify risks early and influence secure design decisions
• Go-Live Security Reviews & Risk Decisions
  • Conduct pre-production / go-live security assessments
  • Determine whether a feature is safe to launch and what risks must be mitigated vs accepted
  • Partner with engineering and product to prioritize fixes and define compensating controls
  • Act as a security approver / advisor for production releases
• Authentication, Authorization & Access Control
  • Design and assess:
    • OAuth2, OIDC, SAML implementations
    • RBAC / fine-grained authorization models
  • Identify and remediate broken access control and privilege escalation paths
  • Drive adoption of least privilege and secure access patterns
• API Security
  • Lead security reviews of REST, GraphQL, and event-driven APIs
  • Identify risks such as:
    • Broken Object Level Authorization (BOLA)
    • Injection vulnerabilities
    • Data leakage
  • Define standards for:
    • API authentication
    • Input validation
    • Rate limiting and abuse protection
• AI & Emerging Technology Security
  • Assess security risks in AI-powered features and systems
  • Evaluate threats such as:
    • Prompt injection
    • Data leakage via LLMs
    • Model misuse and access control gaps
  • Help define and implement AI security guardrails
  • Review architectures involving MCP (Model Context Protocol) or similar AI integration patterns
• Vulnerability Management & Testing
  • Lead vulnerability identification using Static analysis (SAST) and Dependency scanning (SCA)
  • Validate findings and eliminate false positives
  • Prioritize vulnerabilities based on exploitability and business impact
  • Drive remediation with engineering teams
• Attack Surface & Risk Assessment
  • Assess and map application attack surface
  • Identify exposed services, endpoints, and integrations
  • Evaluate third-party and supply chain risks
  • Continuously improve visibility into application risk
• Security Tooling & DevSecOps
  • Integrate and optimize security tools in CI/CD pipelines
  • Define security gates for builds and releases
  • Automate security checks where possible
  • Improve developer experience with secure defaults

Qualifications

• 10+ years of experience in Application Security, Security Engineering, or Software Engineering with a strong security focus
• Proven experience performing security architecture/design reviews, as well as Go-live/production readiness security assessments, with experience with cloud platforms (AWS, GCP, Azure) preferred
• Strong understanding of OWASP Top 10 and modern web vulnerabilities and secure system design and threat modeling
• Experience with SAST tools (e.g., SonarQube, Checkmarx) and SCA tools (e.g., Snyk, Dependabot)
• Ability to assess real-world risk and prioritize effectively in a SaaS environment
• Understanding of LLM risks (prompt injection, data leakage) and AI system architecture
• Exposure to securing AI features or platforms
• Familiarity with MCP or similar AI integration patterns
• Deep Expertise in the following:
  • Authentication & Authorization
    • OAuth2, OIDC, SAML
    • RBAC / ABAC / least privilege models
  • API Security
    • REST / GraphQL
    • Common API attack vectors (BOLA, injection, data exposure)
  • Application Security
    • Secure coding practices
    • Input validation, output encoding, session management

Benefits

• Health Coverage: Employee and immediate family members.
• Time Away: Flexible paid time off and 10 company paid holidays annually.
• Family Support:
  • Exceptional paid leave for birth parents, non-birth parents, and caregivers.
  • Onit also offers surrogacy and adoption reimbursement.
• Income Protection: 100% employer-paid life and disability insurance.
• Additional Coverage Options: Voluntary benefits including hospital indemnity, critical illness, accident.
• Tax-Advantaged Accounts: Flexi, NPS.
• Community Engagement: One paid volunteer day each year to give back to the community.