Staff Application Security Engineer

About the Role

As part of the Security Engineering team, the successful candidate will be at the forefront of securing Thumbtack's growing portfolio of products and services, including those incorporating AI-powered features. This is a key moment for the company, as it scales and expands its offerings, and security must evolve to meet the new challenges this presents.

The role is based in Canada and offers the opportunity to work remotely, contributing to a team that values collaboration, automation, and thoughtful decision-making. The team's approach to security is centered on making the secure path the easiest path, ensuring that security is not seen as a barrier to innovation but as a fundamental aspect of the design process.

What You Will Do

• Own the long-term technical direction for application security across Thumbtack, developing prioritized roadmaps and driving remediation of systemic security risks.
• Lead large, cross-functional security initiatives from problem definition through delivery, collaborating with various teams to ensure security is integrated into all aspects of the business.
• Design secure-by-default architectures, standards, and paved paths for engineering teams, ensuring that security is embedded into the design process from the outset.
• Develop and implement shared security tooling, libraries, patterns, and services that enable engineering teams to ship quickly and safely.
• Embed security into CI/CD pipelines, cloud infrastructure, and developer workflows, ensuring that security is an integral part of the development process.
• Partner with engineering and product leaders to prioritize security investments based on risk, impact, and business goals, providing expert advice on security matters.
• Lead application security design reviews, architectural discussions, and threat modeling for critical systems, ensuring that security considerations are at the forefront of design decisions.
• Contribute code, reviews, and designs to address complex or novel security risks, staying up-to-date with the latest security threats and technologies.
• Mentor engineers and raise the overall security bar through guidance and example, promoting a culture of security within the organization.
• Support security incident response and drive learning through post-incident analysis, ensuring that the company learns from incidents and improves its security posture.

What We Are Looking For

• 8+ years of experience in software engineering and application security, with a strong understanding of secure coding practices and application security frameworks.
• Deep expertise in secure system design and architecture, as well as modern application security tools, patterns, and practices.
• Proven track record leading large, cross-functional technical initiatives with sustained impact, demonstrating the ability to drive change and improvement.
• Strong experience securing modern, cloud-native systems, with proficiency in AWS and/or GCP.
• Strong product intuition and analytical, risk-informed thinking, with the ability to identify where security investments will have the highest leverage and measurable impact.
• Ability to balance pragmatism and rigor, making thoughtful tradeoffs and decisions that align with business goals and security best practices.
• Excellent communication and collaboration skills, with the ability to work effectively with diverse teams and stakeholders.

Nice to Have

• Experience with threat modeling, secure design patterns, authentication and authorization, secrets management, vulnerability discovery, and remediation workflows.
• Familiarity with security compliance frameworks and regulations, such as GDPR, HIPAA, etc.
• Knowledge of programming languages such as Python, Java, or C++, and experience with security testing tools and technologies.

Benefits and Perks

• Competitive compensation package, including salary and equity.
• Comprehensive health insurance, including medical, dental, and vision coverage.
• Generous PTO policy, with flexible vacation time and sick leave.
• Remote work stipend, providing support for home office setup and maintenance.
• Opportunities for professional development and growth, including training, mentorship, and conference attendance.
• Access to cutting-edge technologies and tools, with the freedom to innovate and experiment.
• Collaborative and dynamic work environment, with a team of experienced professionals who value diversity and inclusion.

• Ensure your resume highlights specific experience with application security, including secure coding practices and application security frameworks.
• Prepare to discuss your approach to balancing security with innovation, and how you've handled similar challenges in the past.
• Review the company's technology stack and be ready to talk about how you can contribute to securing cloud-native systems, particularly on AWS and/or GCP.
• Develop a portfolio or examples of your work in application security, such as security designs, threat models, or code reviews.
• Be prepared to negotiate salary based on your experience and the market rate for application security engineers, and don't hesitate to ask about benefits and perks.
• Pay attention to the company culture and values during the interview process, and be sure to ask about opportunities for growth and professional development.