Staff Security Engineer, Application Security (Hybrid)

📋 Description

• • As a Staff Security Engineer, Application Security at Homebase, you will be instrumental in defining and executing the company's application security strategy. This is a pivotal technical leadership role (E5 level) where you will shape the multi-quarter roadmap for securing our diverse product suite, which includes scheduling, payroll, time tracking, HR, team communication, and an expanding array of AI-powered features. Your expertise will be crucial in protecting sensitive workforce and financial data, as well as securing the AI models and pipelines that are becoming integral to our user experience.
• • You will serve as the primary technical authority and trusted advisor for application security within our engineering organization. Your role will involve working at the critical intersection of security, product development, and engineering. You will collaborate closely with engineering leaders to embed security principles into the architectural design from the earliest stages, while simultaneously developing the essential platforms and tools that empower developers to ship secure code rapidly and efficiently.
• • **Security Strategy & Architecture:**
• • Define, champion, and execute Homebase’s comprehensive Application Security roadmap, ensuring alignment with overarching business objectives and company OKRs. This involves setting clear priorities and measurable outcomes for security initiatives.
• • Architect and promote secure-by-default patterns, robust frameworks, and streamlined development pathways (paved roads) that engineers can easily adopt. The goal is to proactively eliminate entire categories of common vulnerabilities before they can manifest in production environments.
• • Conduct thorough evaluations of emerging security technologies, making informed build-versus-buy decisions that strategically shape the future of our security platform and capabilities.
• • Lead critical discussions and drive decisions regarding security and product trade-offs at the architectural level, ensuring a delicate balance between robust protection and the need for development velocity.
• • Influence company-wide engineering practices and investment decisions in security by providing clear, data-driven recommendations and insights.
• • **AI Security:**
• • Take the lead in conducting threat modeling exercises and security architecture reviews specifically for our AI-powered features, model training pipelines, and any third-party LLM integrations. This includes identifying potential attack vectors and designing appropriate defenses.
• • Design, implement, and operationalize specialized security controls tailored for AI/ML systems. This encompasses developing defenses against prompt injection, implementing rigorous model input validation and output filtering, and ensuring the integrity of data pipelines used in AI development.
• • Develop and deploy AI-powered tools and automation to enhance our security operations, significantly multiplying the effectiveness and efficiency of the security team.
• • Foster strong partnerships with our AI engineering teams to establish and enforce secure development patterns for model deployment, inference infrastructure, and the overall AI lifecycle.
• • Proactively monitor and analyze the rapidly evolving AI threat landscape, translating emerging risks and vulnerabilities into actionable, practical engineering guidance for development teams.
• • **Secure Development & Tooling:**
• • Build, maintain, and enhance security tooling and automation solutions that integrate seamlessly into our existing CI/CD pipelines. This enables continuous security validation and testing at scale, ensuring security is a constant part of the development process.
• • Own and mature the vulnerability management program. This includes designing and implementing modern, efficient systems for the detection, accurate prioritization, diligent tracking, and timely remediation of security debt across our entire product portfolio.
• • Lead and refine the bug bounty and responsible disclosure program. This involves effectively managing external researcher findings, ensuring prompt acknowledgment, and translating reported vulnerabilities into systemic improvements to prevent recurrence.
• • Embed security best practices throughout the entire software development lifecycle (SDLC). This will be achieved through the implementation of scalable guardrails, the development of automated security testing frameworks, and the creation of clear, accessible developer-facing documentation and resources.
• • **Cross-Functional Impact & Culture:**
• • Collaborate closely with senior leaders across Engineering, Product Management, and Infrastructure teams to holistically enhance Homebase’s overall security posture and resilience.
• • Champion and pioneer a robust security partnership program. This involves actively mentoring engineers across the organization, fostering a culture where security is a shared responsibility, and empowering teams to take ownership of their security practices.
• • Provide expert technical guidance and leadership during security incidents, and meticulously lead post-incident analysis to identify root causes and drive systemic improvements that prevent future occurrences.
• • Curate, develop, and disseminate essential security guidance, best practice patterns, and comprehensive training content designed to elevate the security awareness and capabilities of the entire organization.
• • Exert influence on security-related decisions at both the departmental and company-wide levels, actively shaping how Homebase strategically invests in and prioritizes its security capabilities and resources.
• • **Hybrid Work Model:**
• • Embrace our hybrid work rhythm, understanding that Tuesdays and Wednesdays are designated in-office collaboration days. This structure is designed to foster faster teamwork, build deeper interpersonal connections, facilitate more effective decision-making, and enhance our collective ability to build innovative solutions together.