Jobs · himalayas
Staff Application Security Engineer
Halcyon Labs · Canada · Posted 18d ago
About the role
Lead application security initiatives and embed security practices within engineering teams.
About UniUni UniUniis a late-stage last-milelogisticscompany moving millions of parcels across the United States and Canada for some of the largest e-commerce platforms in North America. Our technology is cloud-native on AWS. We hold an active ISO 27001 certification and SOC 2 Type II attestation, and security is central to how weoperateand how our customers trust us. This role reports to the Information Security Officer and is based in North America (remote with periodic travel toUniUnihubs). About the role We are hiring a Application Security Engineer to be the senior technical anchor for product and platform security atUniUni. You will set the bar for how we build secure software, embed security into our engineering pipelines, and harden our customer-facing products. You will spend your time shoulder-to-shoulder with engineering, notadjacent toit. This is a hands-on role. You will write code, review code, build tooling, and lead the technically hardest work across application security,DevSecOpsand platform security, and product security. You will set standards that scale, but you will also dig into real systems to find real problems and ship real fixes. What you'll do Application Security Lead threat modeling on new and existing services, focusing on the systems where the risk isrealand the architecture is in motion. Run our secure code review program, including the design of review playbooks, the hardest reviews yourself, and coaching engineers to catch issues earlier. Operate and tune our AppSec tooling stack across SAST, DAST, SCA, andsecretsscanning, keeping signal high and noise low. Own the third-party penetration testing program in partnership with the ISO, from scoping throughfindingstriage and fix verification. Drive standards for authentication, authorization, session management, and API security across our products, and engineer the hard parts yourself when needed. Platform Security and DevSecOps Embed security controls into our CI/CDpipelinesso the secure path is the default path: pre-commit checks, build-time scans, signed artifacts, and policy-as-code gates. Harden our cloud workloads on AWS, including container and Kubernetes security,secretsmanagement, and runtime protections. Codify infrastructure securitybaselinesasIaCand policy (e.g., OPA/Conftest, AWS SCPs,Terraformguardrails) and own the rollout across the platform. Partner with the platform team on identity-aware access to infrastructure, including non-human identities, short-lived credentials, and privileged access patterns. Product Security Engineer enterprise SSO (SAML 2.0 and OpenID Connect) into customer-facing products in support of contractual security commitments to enterprise shippers. Set the technical direction for API security, including authentication, authorization, rate limiting, abuse prevention, and tenant isolation. Drive secure-by-default patterns for data handling in our products, including encryption, key management, and access controls for customer and operational data. Be the senior technical voice in customer security reviews when the questions go past what a questionnaire can answer. Across All of It Triage and lead response to application and platform security incidents, including root cause analysis and durable fixes. Mentorengineers onsecure design and securecoding, andraise the security fluency of the engineering organization through training, office hours, andexample. Contribute to ISO 27001 and SOC 2 evidence, control design, and audit readiness for the controls youoperate. Qualifications 8+building and securing production software, with the last severalfocused onapplication security, product security, orDevSecOpsas your primary discipline. Deep,demonstrablesoftware engineering ability. You read code fluently across multiple languages, you write production-quality code, and engineers respect your technical judgment. Hands-on experience securing AWS workloads at scale, including IAM, networking,containerand Kubernetes security, andIaC(Terraform or equivalent). Working command of modern AppSec tooling (SAST, DAST, SCA,secretsscanning) and how to deploy it in a CI/CD pipeline without grinding delivery to a halt. Strong threat modeling skills anda track recordof turning models into shipped controls. Practical experience implementing SAML 2.0 and OpenID Connect, and a clear mental model of identity, session, and authorization design Experience leading the technical response to security incidents in production environments. Ability to influence engineers and engineering leaders without authority. You explain risk in terms that engineers act on, and you partner rather than police. Nice to Have Experience inlogistics, supplychain, marketplaces, or other high-volume transactional businesses. Background contributing to or maintainingopen sourcesecurity tooling. Prior experience supporting ISO 27001 or SOC 2 control design from the engineering side. Offensive security background (CTFs, bug bounty, red team) that
Read the full posting on himalayas →
FAQ
Is the Staff Application Security Engineer role at Halcyon Labs remote?+
This Staff Application Security Engineer position is listed as remote (Canada).
What is the salary for the Staff Application Security Engineer role at Halcyon Labs?+
The listing states Estimated 100k-231k USD.
What seniority level is this Staff Application Security Engineer role?+
This is a senior level position.
How do I apply for the Staff Application Security Engineer role at Halcyon Labs?+
Use the "Apply on himalayas" button to open the original posting on himalayas, where you can submit your application directly to Halcyon Labs.