Senior Application Security Engineer

Role Overview

The Senior Application Security Engineer II is a senior individual contributor responsible for strengthening Apollo’s secure software development lifecycle and reducing application risk across product, platform, and AI-powered features.

This role blends deep code-level application security work with strong cross-functional partnership. It includes application security reviews, threat modeling, AppSec tooling, findings triage and remediation follow-through, external testing intake, and developer enablement.

This role is calibrated at the L6 senior-IC level: owning semi-annual or annual goals, solving ambiguous problems with sound judgment, improving operational processes, and driving meaningful cross-team collaboration and influence.

Key Responsibilities

Secure SDLC, design review, and threat modeling

• Own and continuously improve the secure software development lifecycle for Apollo applications so security is embedded into design, implementation, and deployment.
• Perform application security reviews, threat modeling, and deep code-level analysis for high-impact product, platform, and AI features before launch.
• Provide practical security architecture guidance to Engineering, Product, and IT teams.
• Help define and maintain application-security guardrails, secure design expectations, code review standards, and risk models for new and existing systems.

Vulnerability management and hands-on remediation

• Drive execution-heavy vulnerability management across internal reviews, bug bounty, pentests, SCA/runtime findings, and other research signals, ensuring findings are validated, prioritized, routed clearly, and tracked through remediation and verification within SLAs.
• Go beyond identifying issues: read the code, explain root cause, propose the safest fix, and directly implement or support remediation when needed for complex vulnerabilities.
• Perform hands-on validation and offensive security testing of applications and fixes, including exploit development, bypass testing, adversarial thinking, and focused red-team-style exercises, to confirm remediations address the underlying issue rather than only the initial symptom.
• Work across the kinds of application security issues common in modern SaaS environments, including authentication and authorization.