[Remote] Senior Application Security Engineer
Note: The job is a remote job and is open to candidates in USA. Apollo.io is the leading go-to-market solution for revenue teams, trusted by over 500,000 companies. They are seeking a Senior Application Security Engineer II who will be responsible for strengthening the secure software development lifecycle and reducing application risk across their products and platforms.ResponsibilitiesOwn and continuously improve the secure software development lifecycle for Apollo applications so security is embedded into design, implementation, and deploymentPerform application security reviews, threat modeling, and deep code-level analysis for high-impact product, platform, and AI features before launchProvide practical security architecture guidance to Engineering, Product, and IT teamsHelp define and maintain application-security guardrails, secure design expectations, code review standards, and risk models for new and existing systemsDrive execution-heavy vulnerability management across internal reviews, bug bounty, pentests, SCA/runtime findings, and other research signals, ensuring findings are validated, prioritized, routed clearly, and tracked through remediation and verification within SLAsGo beyond identifying issues: read the code, explain root cause, propose the safest fix, and directly implement or support remediation when needed for complex vulnerabilitiesPerform hands-on validation and offensive security testing of applications and fixes, including exploit development, bypass testing, adversarial thinking, and focused red-team-style exercises, to confirm remediations address the underlying issue rather than only the initial symptomWork across the kinds of application security issues common in modern SaaS environments, including authentication and authorization weaknesses, access control risks, OAuth and CSRF design flaws, SSRF, cryptographic and verification issues, information disclosure and data exposure risks, unsafe execution and deserialization patterns, and dependency or runtime vulnerabilitiesApply clear, risk-based severity decisions using exploitability, data sensitivity, customer impact, and blast radiusConfigure and improve AppSec tooling and integrations, including SAST configuration, ignore lists, dashboards, and other controls that maintain useful coverage without excessive noiseSelect, build, or refine security tooling, small automations, and workflow enrichments that reduce manual effort and scale AppSec operations responsiblyUse AI to automate, transform, and scale security and engineering-adjacent processes where it materially improves speed, consistency, or signal quality, while still validating outputs with strong engineering judgmentEmbed AI-specific security checks into SSDLC reviews and code analysis, including input and output handling, AI-exposed APIs, prompt and response guardrails, and abuse or data-exfiltration pathsPartner cross-functionally on AI security requirements and controls so AI systems and AI-powered features are designed, deployed, and operated securelySupport and scale security enablement for engineers and security champions, including secure coding, AppSec, and AI-safety contentProvide actionable remediation guidance, secure patterns, and examples that help engineering teams fix issues quickly and correctlyPartner closely with Engineering, Product, Platform, Data, Legal, and other security teams to keep AppSec priorities aligned with business risk and product velocityProduce clear documentation, metrics, and written narratives that improve AppSec visibility, observability, and decision-makingSkills5+ years of software engineering or application security experience, with meaningful hands-on AppSec depth in modern SaaS environmentsStrong software development skills and the ability to read, write, and ship production code; Ruby experience is highly valuable, and Python or similar scripting ability is a plusStrong Linux and cloud fundamentals, ideally with experience in GCP-backed environmentsDeep familiarity with common AppSec issues, secure design, secure authentication and authorization patterns, vulnerability management, and developer security toolingDemonstrated ability to perform deep code review, penetration testing, and exploit-oriented validation, and to either fix vulnerabilities directly or work closely with engineers to land durable remediations that hold up against bypass attempts and variant analysisExperience handling findings from bug bounty, pentests, internal reviews, or automated security tooling through closure and verificationExperience using AI-assisted tools, automations, APIs, or structured workflows to improve engineering or security processes at scaleExperience securing AI-powered systems or features, including AI API exposure, prompt and response handling, data protection, misuse scenarios, and monitoring expectationsStrong written and verbal communication, stakeholder management, and influencing skills across technical and non-technical partnersExperience supporting or leading security reviews for AI-native products, internal agents, or AI-assisted engineering workflowsExperience improving secure-by-design practices and AppSec observability in a fast-moving engineering organizationExperience with security training, developer enablement, or security champions programsRelevant security certifications are a plusBenefitsEquityCompany bonus or sales commissions/bonuses401(k) planAt least 10 paid holidays per year, flex PTO, and parental leaveEmployee assistance program and wellbeing benefitsGlobal travel coverageLife/AD&D/STD/LTD insuranceFSA/HSA and medical, dental, and vision benefitsCompany OverviewBuilding the industry’s first fully agentic GTM platform, transforming how revenue teams execute It was founded in 2015, and is headquartered in San Francisco, California, USA, with a workforce of 501-1000 employees. Its website is https://www.apollo.io.Company H1B SponsorshipApollo.io has a track record of offering H1B sponsorships, with 2 in 2026, 13 in 2025, 7 in 2024, 6 in 2023, 2 in 2022, 2 in 2021. Please note that this does not guarantee sponsorship for this specific role.