Principal Engineer — Product & Application Security
Freshworks · San Mateo, CA · Yesterday
HybridOTHR$241k–$298k/yrFull-time
Key Responsibilities
- Own the multi-year technical vision and architecture strategy for product and application security across all Freshworks products (Freshdesk, Freshservice, and the shared Platform), and drive alignment on it across engineering and the CISO organization.
- Define the secure-by-design reference architectures, paradigms, and organization-wide standards (authN/authZ, tenant isolation, data protection, secrets, API security) that thousands of engineers build against.
- Set the strategic security agenda for the AI-first platform — securing the AI Agent Platform, Knowledge/Context Graph, and agentic workflows — anticipating threat classes before they reach production.
- Operate as a company-wide force multiplier — writing code and reference implementations, setting technical direction that outlives any single project, mentoring Staff and Senior Staff security engineers, and partnering directly with VP Engineering, the CISO organization, and product leadership to make security a durable competitive advantage.
Responsibilities
- Threat modeling and security design reviews for the most critical, cross-cutting, and highest-risk systems — including identity and access, the integrations/connector framework (300+ apps), and the agent runtime.
- Lead threat modeling and security design reviews for the most critical, cross-cutting, and highest-risk systems — including identity and access, the integrations/connector framework (300+ apps), and the agent runtime.
- Set the standard for secure code review, manual and AI-assisted penetration testing, and vulnerability analysis; drive root-cause remediation strategies that eliminate whole vulnerability classes across the estate, not one bug at a time.
- Architect and harden multi-tenant security controls: strict tenant isolation, authentication/authorization models, secrets management, data protection, and API gateway security.
- Own the security design for AI/agentic features — prompt injection defense, tool-invocation authorization, non-human identity, and permission-scoped context access.
- Define the organization-wide, AI-assisted left-shift strategy: how SAST, DAST (e.g., Snyk), SCA/dependency scanning, secret detection, and IaC scanning are embedded across every CI/CD pipeline to catch issues before production.
- Define the direction for security tooling, automation, and paved-road frameworks and libraries that make the secure path the default path — including code-component asset inventory (API/SBOM/RBAC/secrets/integrations) and secure-by-default product hardening.
- Establish secure coding standards, golden patterns, and guardrails; operationalize threat modeling and maturity models (SAMM) across the product portfolio; and define the security quality gates the whole org is measured against.
- Vulnerability Management & Incident Response: Serve as the top technical escalation point for the most severe security incidents — leading investigation, containment strategy, and post-incident architectural hardening.
- Shape the strategy for the bug bounty and responsible-disclosure program.
Qualifications
- Professional Experience: 12+ years in software engineering and/or security, with deep, sustained hands-on ownership of application/product security for production SaaS at enterprise scale.
- Track record as a Principal-level (or equivalent) individual contributor whose technical vision and standards shaped an entire engineering organization — you have defined direction that outlived individual projects.
- Deep experience securing multi-tenant, cloud-native SaaS platforms (ideally on AWS), including tenant isolation, authN/authZ, and API security at scale.
- Demonstrated impact eliminating vulnerability classes and setting the security frameworks, reference architectures, or paved roads adopted org-wide.
- Mastery of threat modeling (e.g., STRIDE), secure code review, and both manual and AI-assisted penetration testing across web, API, and cloud surfaces.
- Deep experience embedding security into CI/CD at scale: SAST, DAST (e.g., Snyk, Snyk Code), SCA, secret scanning, IaC scanning, artifact-repository management (e.g., Sonatype Nexus), and container/Kubernetes security aligned to the OWASP Kubernetes Top Ten (RBAC, workload isolation, supply-chain, and misconfiguration risks).
- Strong coding ability in one or more of Ruby, Java, Go, Python, or JavaScript/TypeScript — enough to build reference implementations and security tooling and to be credible in any code review.
- Strong cloud security expertise (AWS preferred): IAM and role right-sizing, network/egress controls, KMS/secrets management, BYOK/field-level encryption, and infrastructure-as-code (Terraform/CloudFormation).
- Authoritative grasp of cryptographic and compliance standards relevant to enterprise SaaS — e.g., FIPS 140-2/140-3, PCI, SOC 2, ISO 27001, and Google CASA / TX-RAMP control frameworks.
- Deep understanding of securing AI/LLM and agentic systems — including Claude and other LLM security concerns such as prompt injection, insecure tool use, model/data exposure, and non-human identity.
- Ability to set technical direction for and influence an entire engineering organization — and senior executives (VP/CISO) — through technical credibility and clear communication.
- Genuine service-oriented, "make the secure path the easy path" mindset toward internal developers.
- Multiplier: track record of growing Staff and Senior Staff engineers and building a durable security-champion culture across distributed teams.