Staff Application Security Engineer

Onebrief makes military planning seamless and represents a shift in paradigm for future military decisions. It is an all-in-one tool that supports both the creative and process-oriented aspects of military planning. In Onebrief, planners use maps, boards, diagrams, timelines, slides and written products to create their plans—all while sharing a common database. Everything stays in sync, in real time. Our approach has been refined and validated through hundreds of user experiments.

Our product is currently in broad use at 8 of the largest military headquarters in the world. 3 of the 4 biggest operational plans in the US are currently built with Onebrief. Last year, we achieved 100% gross retention and 158% net retention—our revenue grew 4x and reached double-digit millions. We are backed by Y Combinator (S21) and top-tier VCs, including Caffeinated Capital (Affirm, Docker, Notion, and more) and Human Capital (Andruil, Brex, Snowflake, and more), and have raised a total of $44.6M in venture capital. Our elite team combines the best of tech and military talent, including education and experience at Google, Twitter, Adobe, MIT, Harvard, Special Operations, TOPGUN, and more.

As an App Security Engineer at Onebrief, you'll regularly assess security, code, and vulnerabilities, and work with the software team to address weaknesses. You'll help implement security policies and procedures according to standards, advise on secure architecture and software design, and keep up-to-date with the latest threats and technologies. You will respond to incidents when needed. You will enhance the organization's security posture by staying updated on emerging threats and delivering security training programs.

This is an opportunity for candidates who have a strong understanding of application-level security, network security, and operating system security. Who are familiar with security frameworks and have experience with vulnerability management tools, penetration testing tools, and other security testing tools.

The ideal candidate will have a strong background in application security, with experience in both the private sector and the U.S. Department of Defense. This role requires a deep understanding of security best practices, threat modeling, and secure software development lifecycle (SDLC) processes. The candidate should also possess relevant certifications such as the Offensive Security Certified Expert (OSCE).

You will report directly to our Deputy CISO

Relevant skills and technologies: Penetration Testing, Vulnerability Management, Operating Static and Dynamic Application Security Testing Tools, Kubernetes, Docker, Helm, Ansible, Linux, VMWare, AWS, Typescript

Qualifications

• Strong knowledge of application security principles, web vulnerabilities, and threat landscape

• Familiarity with security frameworks (OWASP, SANS), security controls, and risk management methodologies

• Proficiency in secure coding practices and experience with various programming languages

• Strong understanding of CI/CD pipelines and where security checks should be applied

• Experience with vulnerability management tools, static/dynamic analysis tools, and penetration testing tools

• Minimum 6 years of experience in application security or related roles. Bachelor's or Master's degree in Computer Science, Information Security, or a related field is desirable

• Certifications such as Offensive Security Certified Expert (OSCE), Certified Information Systems Security Professional (CISSP), Certified Secure Software Lifecycle Professional (CSSLP), and GIAC Web Application Defender (GWEB) are a plus

• You are obsessed with creating value for real users

• You are committed to performing up to your potential

• You are ambitious, scrappy, and a creative problem-solver

• You learn quickly, work iteratively, and naturally seek collaboration

• You approach your work with integrity, intellectual honesty, and a low ego

• You communicate frankly, clearly, and succinctly

• You thrive as a self-starter, embracing autonomy and ambiguity

• You are a U.S. citizen