Rain

Senior Application Security Engineer

Rain

full-time

Posted on:

Origin:  • 🇺🇸 United States

Visit company website
AI Apply
Manual Apply

Job Level

Senior

Tech Stack

AWSAzureCloudCyber SecurityGoGoogle Cloud PlatformGrafanaJavaScriptKubernetesMicroservicesNode.jsPythonReactReact NativeSDLC

About the role

  • Collaborate with development squads to validate vulnerabilities and provide actionable remediation guidance aligned with business risk.
  • Drive threat modeling sessions (e.g., STRIDE, PASTA) for critical systems and APIs.
  • Design, implement, and oversee automated processes for securely updating application and code dependencies, proactively mitigating issues and ensuring timely vulnerability remediation.
  • Integrate security checks into CI/CD pipelines (SAST, DAST, SCA, IaC), working with tools like Semgrep, Snyk, Trivy, and Burp Suite.
  • Contribute to runtime security initiatives, such as container/Kubernetes hardening, RASP, and eBPF-based detection.
  • Build and maintain a security issues dashboard to track remediation status and metrics.
  • Provide real-time support in the event of cybersecurity incidents impacting applications or cloud infrastructure (exploited vuln, credential stuffing, web/API attacks).
  • Partner with the Cloud Security team on security automation tasks and monitoring improvements (e.g., Security Hub remediation automations, DLP monitoring, etc.).
  • Conduct proactive research on new threats, vulnerabilities, and attack techniques relevant to Rain’s architecture.
  • Collaborate with the GRC team to develop and deliver internal security awareness initiatives, phishing campaigns, and developer training (e.g., secure coding, API security).
  • Participate in the continuous improvement of AppSec maturity (e.g., aligning with OWASP SAMM, ISO 27001, or SOC 2 frameworks).

Requirements

  • Fluent English, including strong verbal and written skills.
  • Strong problem-solving and analytical mindset.
  • Excellent communication skills to convey security risks to technical and non-technical stakeholders.
  • 3–5+ years of experience in application security, penetration testing roles, and/or secure code development, including work with QA teams.
  • Hands-on experience with SAST, DAST, and SCA tools (e.g., Semgrep, Burp, Snyk).
  • Deep understanding of web, mobile, and API vulnerabilities (OWASP Top 10, API Top 10, MITRE CWE).
  • Proven expertise in performing code review or security assessments and writing clear reports.
  • Proficiency in at least one backend language (e.g., Go, Python, Node.js) and understanding of React / React Native front-ends.
  • Familiarity with secure architecture of microservices, event-driven systems, and REST APIs using OAuth2/OpenID Connect.
  • Experience securing CI/CD pipelines and integrating AppSec tooling into SDLC.
  • Solid knowledge of containerization and Kubernetes security fundamentals.
  • Understanding of cloud security (preferably AWS), including IAM principles, cloud-native service configurations, and network segmentation.
  • Comfortable with Agile development methodologies and working within cross-functional squads.
  • Software supply chain security (e.g., SBOM, artifact signing).
  • Preferred: Certifications such as OSCP, OSWE, GWAPT, CPTE, or CSSLP.
  • Preferred: AWS, GCP, or Azure Security Specialty certification.
  • Preferred: Familiarity with bug bounty triage and vulnerability management platforms (e.g., DefectDojo).
  • Preferred: Experience implementing RASP or eBPF runtime protection tools.
  • Preferred: Exposure to LLM/AI security considerations and secure code generation practices.
  • Preferred: Familiarity with logging and monitoring tools (e.g., CloudWatch, Datadog, Grafana).