Security Engineer - Vuln Management (Code)

Mid-Level Appsec Vulnerability Management Engineer

We are seeking a mid-level AppSec Vulnerability Management Engineer with a strong software development background. In this role, you will bridge the gap between security, compliance, and engineering teams. You will identify application vulnerabilities, maintain software supply chain security, and drive tracking to satisfy strict regulatory compliance frameworks. You will also serve as a technical responder during security incidents, deploying real-time countermeasures to protect our software ecosystem.

Core Responsibilities

• Perform periodic application security scanning activities. Review results and prioritize flaws based on CVSS scores, real-world exploitability, and system exposure.
• Track, document, and manage vulnerabilities according to strict compliance SLAs (e.g., SOC 2, ISO 27001, PCI-DSS). Maintain audit-ready evidence of remediation timelines and exception approvals.
• Escalate and report critical exposures directly to the CISO and senior leadership. Maintain dashboards and alerting mechanisms that visualize vulnerability status, risk trends, and compliance posture.
• Ownership of the organization's Software Bill of Materials (SBOM). Continually update SBOM inventories to ensure compliance with modern regulatory requirements and dependency tracking. Help Replit mature through various SLSA levels for supply chain security.
• Partner with development teams to provide clear mitigation paths. Review, write, and patch code directly when necessary to resolve security flaws.
• Configure and tune automated security testing tools within CI/CD pipelines to reduce false positives for engineering teams.
• Assist Incident Response teams during active breaches or security incidents. Help develop and implement immediate, real-time code or infrastructure countermeasures.

Required Skills & Experience

• 5 years of experience in Application Security, DevSecOps, or Software Engineering roles.
• Solid foundational experience working in a software development capacity.
• Ability to read, understand, and safely patch security flaws in JavaScript/TypeScript, Python, and Go.
• Strong familiarity with build systems, package managers, and compilation workflows across multiple languages and frameworks.
• Hands-on experience operating SAST, SCA, and Secret Scanning tools (such as Snyk, Socket, Wiz Code, Semgrep, or Checkmarx).
• Understanding of how vulnerability management maps to security compliance frameworks like SOC 2, ISO 27001, or NIST.

What We Value

• The ability to see the "big picture" and understand how security decisions impact the entire stack.
• The ability to drive technical alignment across the organization through expertise and collaboration rather than direct authority.
• Comfortable leading major technical initiatives and driving outcomes with minimal oversight.
• A passion for breaking down complex security challenges into elegant, scalable engineering solutions.

This is a full-time role that can be held from our Foster City, CA office. The role has an in-office requirement of Monday, Wednesday, and Friday.

Full-Time Employee Benefits Include:

• Competitive Salary & Equity
• 401(k) Program with a 4% match (US Only)
• Health, Dental, Vision and Life Insurance
• Short Term and Long Term Disability
• Paid Parental, Medical, Caregiver Leave
• Flexible Time Off (FTO) + Holidays
• Commuter Benefits (In-Office Only)
• Monthly Wellness Stipend
• Autonomous Work Environment
• In Office Set-Up Reimbursement (In-Office Only)
• Quarterly Team Gatherings
• In Office Amenities (In-Office Only)

To achieve our mission of making programming more accessible around the world, we need our team to be representative of the world. We welcome your unique perspective and experiences in shaping this product. We encourage people from all kinds of backgrounds to apply, including and especially candidates from underrepresented and non-traditional backgrounds.