Staff Application Security Engineer

Application Security Engineer

UniUni is a late-stage last-mile logistics company moving millions of parcels across the United States and Canada for some of the largest e-commerce platforms in North America. Our technology is cloud-native on AWS. We hold an active ISO 27001 certification and SOC 2 Type II attestation, and security is central to how we operate and how our customers trust us. This role reports to the Information Security Officer and is based in North America (remote with periodic travel to UniUni hubs).

About the Role

We are hiring an Application Security Engineer to be the senior technical anchor for product and platform security at UniUni. You will set the bar for how we build secure software, embed security into our engineering pipelines, and harden our customer-facing products. You will spend your time shoulder-to-shoulder with engineering, not adjacent to it.

This is a hands-on role. You will write code, review code, build tooling, and lead the technically hardest work across application security, DevSecOps and platform security, and product security. You will set standards that scale, but you will also dig into real systems to find real problems and ship real fixes.

What You'll Do

• Application Security
• Lead threat modeling on new and existing services, focusing on the systems where the risk is real and the architecture is in motion.
• Run our secure code review program, including the design of review playbooks, the hardest reviews yourself, and coaching engineers to catch issues earlier.
• Operate and tune our AppSec tooling stack across SAST, DAST, SCA, and secrets scanning, keeping signal high and noise low.
• Own the third-party penetration testing program in partnership with the ISO, from scoping through findings triage and fix verification.
• Drive standards for authentication, authorization, session management, and API security across our products, and engineer the hard parts yourself when needed.

Platform Security and DevSecOps

• Embed security controls into our CI/CD pipelines so the secure path is the default path: pre-commit checks, build-time scans, signed artifacts, and policy-as-code gates.
• Harden our cloud workloads on AWS, including container and Kubernetes security, secrets management, and runtime protections.
• Codify infrastructure security baselines as IaC and policy (e.g., OPA/Conftest, AWS SCPs, Terraform guardrails) and own the rollout across the platform.
• Partner with the platform team on identity-aware access to infrastructure, including non-human identities, short-lived credentials, and privileged access patterns.

Product Security

• Engineer enterprise SSO (SAML 2.0 and OpenID Connect) into customer-facing products in support of contractual security commitments to enterprise shippers.
• Set the technical direction for API security, including authentication, authorization, rate limiting, abuse prevention, and tenant isolation.
• Drive secure-by-default patterns for data handling in our products, including encryption, key management, and access controls for customer and operational data.
• Be the senior technical voice in customer security reviews when the questions go past what a questionnaire can answer.

Across All of It

• Triage and lead response to application and platform security incidents, including root cause analysis and durable fixes.
• Mentor engineers on secure design and secure coding, and raise the security fluency of the engineering organization through training, office hours, and example.
• Contribute to ISO 27001 and SOC 2 evidence, control design, and audit readiness for the controls you operate.

Qualifications

• 8+ building and securing production software, with the last several focused on application security, product security, or DevSecOps as your primary discipline.
• Deep, demonstrable software engineering ability. You read code fluently across multiple languages, you write production-quality code, and engineers respect your technical judgment.
• Hands-on experience securing AWS workloads at scale, including IAM, networking, container and Kubernetes security, and IaC (Terraform or equivalent).
• Working command of modern AppSec tooling (SAST, DAST, SCA, secrets scanning) and how to deploy it in a CI/CD pipeline without grinding delivery to a halt.
• Strong threat modeling skills and a track record of turning models into shipped controls.
• Practical experience implementing SAML 2.0 and OpenID Connect, and a clear mental model of identity, session, and authorization design
• Experience leading the technical response to security incidents in production environments.
• Ability to influence engineers and engineering leaders without authority. You explain risk in terms that engineers act on, and you partner rather than police.

Nice to Have

• Experience in logistics, supply chain, marketplaces, or other high-volume transactional businesses.
• Background contributing to or maintaining open source security tooling.
• Prior experience supporting ISO 27001 or SOC 2 control design from the engineering side.
• Offensive security background (CTFs, bug bounty, red team) that informs how you think about defense.
• Experience hardening LLM-integrated or AI-powered features in production.

Why This Role

This is a senior IC role with real scope. You will set standards that the engineering organization actually adopts because you will have built them, shipped them, and proved they work. You will report to the Information Security Officer in a security function with executive commitment, a live ISO 27001 certification, and an active SOC 2 Type II attestation, and you will have the autonomy and the mandate to make UniUni's products and platform meaningfully more secure.