Senior Application Security Engineer

Onebrief is collaboration and AI-powered workflow software designed specifically for military staffs. By transforming this work, Onebrief makes the staff as a whole superhuman - meaning faster, smarter, and more efficient.

We take ownership, seek excellence, and play to win with the seriousness and camaraderie of an Olympic team. Onebrief operates as an all-remote company, though many of our employees work alongside our customers at military commands around the world.

Founded in 2019 by a group of experienced planners, today, Onebrief’s team spans veterans from all forces and global organizations, and technologists from leading-edge software companies. We’ve raised $320m+ from top-tier investors, including Battery Ventures, General Catalyst, Sapphire Ventures, Insight Partners, and Human Capital, and today, Onebrief is valued at $2.15B. With this continued growth, Onebrief is able to make an impact where it matters most.

This role is remote. The role may require occasional (once per quarter or less) on-site activities at customer locations.

Must be a US Citizen, eligible for a Secret Security Clearance. Active Secret or Top Secret Clearance is a plus, SCI eligibility is a plus.

We are hiring an Application Security Engineer to join our Infrastructure & Security team. You’ll report to our Director of Infrastructure and work closely with fellow SREs, Software Engineers, DevOps Engineers, Platform Engineers, Customer Relations, and Cybersecurity Analysts.

You will be helping identify, triage and fix security issues within the Onebrief application and related platform and deployed infrastructure.

You are a security-minded individual who knows that vulnerabilities in modern software are an existential business risk. Maybe you love reading incident reports, and perhaps you even participate in security conferences like DefCon or OWASP meetups. Ideally, you have experience in a related field like software engineering, DevOps or systems administration. You are familiar with modern cloud-native technologies like Kubernetes and have experience with software development. Maybe you have experience with game cheat development/detection, bug bounties, or maybe you come from a traditional enterprise security background.

You will own the security and compliance posture of our software products and platform. You will do this by:

• Find Vulnerabilities in our Software: Bring an attacker’s mindset to review PRs, perform code audits, and utilize static analysis to identify vulnerable code patterns that can be exploited by adversaries. Use dynamic analysis, fuzzers and code reviews to find weaknesses in our codebase and work with developers to patch them.

• Fix Vulnerabilities Across the Full Stack: Think like an adversary to find, fix, prevent or patch vulnerabilities from browser to kernel. Utilize vulnerability scanners to find unpatched components, and identify configuration errors that could expose our deployments to an attacker. Work with platform engineers to harden our customer environments and utilize best practices. Advise on network configuration, identity and access management and infrastructure security.

• Improve the Security Posture of Infrastructure: Review identity and access management, logging, auditing, monitoring to help craft a layered defense for our corporate infrastructure and customer environments. Work with Cybersecurity analysts to help ensure compliance with corporate/Federal standards like SOC II, NIST and FedRamp Moderate/High.

• Make the Team Stronger: Mentor other engineers on best security practices, share news of vulnerable libraries and compromises, engage with community on active threats and trends in exploit development, malware, etc. Work to improve processes to shift security “left” and identify vulnerabilities earlier in the design, development and deployment of our software.

Experience & collaboration

• 5+ years of experience in Application Security, Cybersecurity Engineering, Software Engineering or a related field, preferably with first-hand experience ensuring security in high-compliance environments like PCI DSS, HIPAA or NIST.

• U.S. citizenship required, security clearance greatly desired.

• A strong understanding of Linux, containerization and orchestration, and virtual machines

• Networking fundamentals: core protocols and secure configurations.

• A deep understanding of incident response processes, with experience conducting thorough root cause analyses and driving continuous improvement

• Clear, concise writing; strong documentation habits and async communication.

• Core skills and technologies: Javascript/Browser security, Network Security, Firewalls, Intrusion Detection, Static Analysis, Dynamic Analysis, Container Scanning, Kubernetes, Docker, Helm, Ansible, Terraform, Linux, AWS, DoD compliance, Monitoring and Observability tools.

Bonus points (nice to have)

• Experience with compliance frameworks/processes (RMF, STIGs/SRGs, PCI DSS, HIPAA, ICD 503).

• Security considerations/design for air-gapped environments.

• Active Security+ or another DoD 8570.01-approved security credential, or the ability to obtain the valid credentials within 3 months of employment.

• Must-Have Skills and Qualifications:

  • Required years of experience and relevant industries.

    • 5+ years experience in Cybersecurity, Software Engineering and/or DevOps

  • Essential technical or soft skills.

    • Familiarity with DevOps practices, CI/CD

    • Familiarity with security tooling such as Static & Dynamic Analysis (SAST/DAST)

    • Familiarity with networking, web protocols

    • Working grasp of PKI, TLS and cryptographic primitives

• Preferred Skills and Qualifications:

  • Additional skills or experience that would be advantageous.

    • JavaScript Experience

    • Security+ Certification or other IAT Level II equivalent

    • CSSLP or CISSP

    • Familiarity with DoD Software Lifecycle, RMF/ATO, STIG

    • Pentesting / Red Team experience

    • Familiarity with web authentication/authorization technologies such as SSO, SAML, OIDC, JWT, etc.

    • Experience with Kubernetes and modern Cloud-Native deployment strategies

Notice to Third Party Recruitment Agencies
Please note that Onebrief does not accept unsolicited resumes from recruiters or employment agencies. In the absence of an executed Recruitment Services Agreement, there will be no obligation to any referral compensation or recruiter fee. In the event a recruiter or agency submits a resume or candidate without an agreement Onebrief explicitly reserves the right to pursue and hire those candidate(s) without any financial obligation to the recruiter or agency. Any unsolicited resumes, including those submitted to hiring managers, shall be deemed the property of Onebrief.