Senior Application Security Engineer

Job description

At GFiber, we believe that great internet has the power to drive innovation, strengthen communities, enable the impossible, and do all the everyday things that make all of our world go round. And the job of creating better internet is never done - so we’re growing! Our team is committed to building a place where people who want to make a difference can grow their careers and find their spot to belong.

GFiber is an Alphabet company that brings Google Fiber and Google Fiber Webpass internet services to homes and businesses across the United States. Our teams are expanding as we connect more cities and people to exceptional internet.

The application window will be open until at least August 15, 2025. This opportunity will remain online based on business needs which may be before or after the specified date.

The Cybersecurity team at GFiber leads the protection of our networks, systems, and data from advanced threats. We champion the effort to ensure GFiber delivers internet services securely, embedding security into the core of our offerings and making the secure path the default path for our developers and customers. This Senior Application Security Engineer position is a key role within the Cybersecurity team, dedicated to proactively integrating security throughout the software development lifecycle (SDLC). This role will be at the forefront of designing, building, and deploying secure applications, ensuring the resilience and trustworthiness of GFiber’s services, and will be critical in maturing our application security program and fostering a security-first engineering culture.

Role Description

As a Senior Application Security Engineer, your mission is to ensure GFiber develops and delivers secure services and applications to our customers. You will achieve this by embedding security best practices, tools, and knowledge directly into our development processes and teams. You’ll leverage your deep expertise in application security, secure coding practices, threat modeling, and automated security testing to empower our engineering teams. Your work will enhance our ability to design, build, and deploy secure applications effectively from the ground up. In this role, you’ll be a pivotal member of the Cybersecurity team, directly shaping GFiber’s application security posture. You will focus on building and improving our secure development lifecycle, leveraging automation, and providing expert guidance to development teams. You’ll collaborate closely with Software Engineering, DevOps, Product Management, and other Cybersecurity functions (like Security Operations and GRC) to ensure a holistic approach to security.

In this role, you’ll:

• Champion Secure by Design Principles: Lead the integration of security into all phases of the software development lifecycle (SDLC), from design and threat modeling to secure coding, testing, and deployment, ensuring the “default path” is the secure path for application development.
• Lead Application Security Initiatives: Drive key projects to enhance GFiber’s application security posture, including the development of security standards, secure coding guidelines, and the implementation of advanced security testing methodologies.
• Drive Automation and Tooling: Design, implement, and optimize automated security tools (SAST, DAST, SCA, IAST) and integrate them into CI/CD pipelines to provide rapid feedback to developers and accelerate secure software delivery.
• Evolve Threat Modeling and Security Reviews: Establish and lead threat modeling efforts for new and existing applications, conduct in-depth security architecture reviews, and perform manual and automated code reviews to identify and mitigate vulnerabilities.

At a minimum we’d like you to have:

• Bachelor’s degree in Computer Science, Information Security, a related field, or equivalent practical experience.
• 7 years of experience in application security, including hands-on experience with secure SDLC practices, threat modeling, vulnerability assessment, and penetration testing.
• Direct experience with one or more programming languages (e.g., Java, JavaScript, Kotlin) and experience with code review.
• Experience with application security tools and technologies (e.g., SAST, DAST, IAST, SCA, WAF).

It’s preferred if you have:

• Demonstrated success in developing, implementing, and maturing an application security program or significant security features.
• Experience building and deploying security solutions in GCP (Google Cloud Platform).
• A deep understanding of common application vulnerabilities (e.g., OWASP Top 10, SANS Top 25), attack vectors, and remediation techniques.
• Experience in developing and delivering security training and awareness programs to engineering teams.
• Relevant security certifications (e.g., GPEN, CSSLP, GWAPT, GWEB, OSCP, OSWE, OSEP).
• Experience with container security (Docker, Kubernetes) and Infrastructure as Code (IaC) security principles.

The US base salary range for this full-time position is between $157,000 - $230,000 + bonus + cash award + benefits. As pay varies by location, your recruiter will share more about the specific salary range for your targeted location during the hiring process.

GFiber is committed to equal opportunity employment regardless of race, color, ancestry, religion, sex, national origin, sexual orientation, gender identity, age, citizenship, marital status, disability or Veteran status. Disclosure is voluntary, and this information will be kept confidential in compliance with Google’s Candidate Privacy Policy. For more information please refer to our Equal Employment Opportunity Policy and the EEOC’s “Know your rights: workplace discrimination is illegal” (PDF).

It’s important to us to create an accessible, inclusive workplace for everyone. If you have a need that requires accommodation, please let us know by completing ouraccommodations for applicants form. Our candidate accommodations team will then connect with you to confidentially discuss your options.