Staff II - Application Security Engineer
Omnissa · Atlanta, GA · 2 wk ago
HybridInformation Technology$220k–$270k/yrFull-time
Key Responsibilities
- Set technical direction for application security across the portfolio — defining standards, patterns, and guardrails adopted by engineering teams at scale.
- Lead threat modeling across distributed, cloud-native, and mobile architectures as a repeatable practice embedded in the development lifecycle, not a one-off exercise.
- Define security architecture reference designs that, when followed by engineering teams, remove the need to security-review that aspect on a per-feature basis.
- Influence roadmap and design decisions before implementation begins to identify architectural risk early.
- Perform manual code review and application security testing across Java and C++ codebases; codify findings into reusable guidance engineers can act on without follow-up.
- Scale code review coverage using AI-assisted analysis and custom CodeQL queries tuned to Omnissa's codebase and vulnerability patterns.
- Conduct variant analysis to ensure confirmed vulnerability classes are remediated consistently across the codebase, not in isolation.
- Triage and validate externally reported vulnerabilities — assess exploitability, severity, and business impact, and drive remediation to closure across team boundaries.
- Translate individual findings into systemic recommendations that address root-cause design or implementation gaps across products.
- Define and evolve the Software Development Lifecycle (SDL) — identify gaps, drive measurable improvements, and own the iteration cycle.
- Improve the feature security review program so security work shifts left into design and scales across teams, rather than landing as a release gate.
- Mature the product penetration testing program — define scope, methodology, and cadence; ensure findings drive systemic fixes, not one-off patches.
- Build and scale the security champions program; mentor engineers and create training that extends security capability beyond the security team.
- Establish metrics that make program effectiveness visible to engineering and product leadership.
What Success Looks Like
- First 3 months: Build a deep understanding of the product architecture, development toolchain, and release process across multiple product areas. Begin influencing in-flight architectural and design decisions, and identify the highest-leverage gaps in the current security program.
- First 6 months: Own the security strategy for a significant area of the portfolio. Set direction that other engineers execute against, drive cross-team prioritization of security work, and shape backlog and roadmap decisions. Iterate improvements on the current SDL.
- 12 months and beyond: Deliver measurable, org-level improvements in security posture — e.g., materially reduced mean time to remediation, broadened threat model coverage, or new automation adopted in production across teams. Be recognized as a go-to technical authority on application security and a multiplier of the team’s overall effectiveness.
Leadership and Team Culture
- Report to the Director of Product Security and take technical direction from the Manager of Application Security, while operating with a high degree of autonomy.
- Work closely with a committed team of security engineers, product managers, and developers focused on innovation and getting things done.
- Build trust among team members and stakeholders, committing to customer success.
- Operate in a transparent, communicative environment that emphasizes work-life balance and having fun at work.
- Identify and drive improvements to security processes - both internal workflows and partner-facing interfaces - that reduce friction for development teams and increase the daily effectiveness of security engineers.
Required Experience
- 12+ years of hands-on application security experience, with demonstrated technical depth and a track record of influence beyond your own work.
- Deep knowledge of application security vulnerabilities and mitigation techniques, and the judgment to prioritize them by real business and customer impact.
- Proven ability to lead threat modeling, secure design, and security architecture for complex distributed and cloud-native systems.
- Proficiency in Java or C++, with the ability to read, reason about, and review production code.
- Security breadth across multiple domains — application, system, cloud, and mobile.
- Demonstrated history of driving technical change and raising the security bar across teams, and of mentoring senior engineers.
- Excellent documentation and communication skills, including the ability to influence engineering and product leadership.
- Self-starter who is adaptable, works independently, and brings clarity to ambiguous problems.
- Pragmatic mindset; able to identify practical short term and long term strategic solutions.
PREFERRED EXPERIENCE
- Experience testing agentic AI systems, and the ability to leverage AI tooling across security testing, triage, and documentation workflows.
- Experience building automation solutions that improve the security process at scale.
- Prior experience as a pen tester for a multi-tenant SaaS provider.