Application Security Engineer

San Francisco, United StatesRemote

Responsibilities

What You’ll Do: Secure Development Lifecycle - - Own the secure SDLC end-to-end: threat modeling, design reviews, code reviews — you set the bar - Run and coordinate app pentests (internal and external) and drive findings to closure - Build and own SAST/DAST/SCA tooling wired into CI/CD so security ships with the code - Triage and remediate vulnerabilities from every angle — bug bounty, internal scans, the works Software Security Engineering - - Build and maintain the security-critical stuff: encryption

About Opal Security: At Opal, we’re building modern identity governance for the AI era—intelligent access management that empowers enterprises to move fast while staying secure.
You'd be our dedicated security engineer, embedded directly with engineering, writing production code in Go and TypeScript, and building security into the product while it's still being designed.

Bonus points for familiarity with our stack: Go, TypeScript, React, PostgreSQL, Redis, GraphQL - Have led complex, cross-functional security initiatives from kickoff to completion - Have run or participated in external pentests and seen findings through remediation - Thrive on ownership and ambiguity — you'd rather write the playbook than wait for one

Our mission is to bring clarity, control, and confidence to complex enterprise environments, helping teams govern access without slowing down innovation.
The Role: Most security engineers spend their careers bolting locks onto doors that were already built.
We're hiring an Application Security Engineer to own security across Opal's product and platform — and yes, own means what it sounds like.
You’ll work closely with a team of engineers that genuinely care about getting this right, and a product that happens to be one of the most security-critical tools in enterprise software.
Oh, and one more thing: Opal is a security company.