Staff/Principal Application Security Engineer

Binti builds software for state and county government agencies, focusing on reinventing social services. We started in child welfare, with the mission of helping every child have a safe, loving, and stable family. To date, we've helped approve more than 100,000 families to foster or adopt, and we support over 49% of the nation's child welfare system. We have expanded our product offerings in child welfare, moving more to the root of the problem, helping families stay together and avoid separation, and are now expanding horizontally across other areas in social services.

Binti is a for-profit, mission-driven software company based in San Francisco, CA. Investors include Founders Fund, First Round Capital, Kapor Capital, and others. We're a team of ~90 people and growing quickly. We care about creating a workplace where everyone feels welcome and can bring their full self to work. We have a huge, ambitious vision to rewire government to be more effective in expanding opportunities for people around the world, and we are looking for mission-driven, high-empathy, high-performance, and low-ego team members to join us on our exciting journey towards that vision.

As Binti's first Principal Security Engineer (Applications focused), reporting to our CTO, you will play a critical role in ensuring the security and integrity of our software applications. You will work alongside Binti's full-stack engineers, contribute to security controls in our software, identify and address potential security vulnerabilities, implement best practices, and uphold secure coding standards.

WHAT YOU WILL DO

• Conduct Security Assessments: Provide holistic assessments of Binti's security stance, including performing regular security reviews, code audits, penetration testing, and threat modeling to maintain the highest standard of application security.
• Set Direction: Help Binti chart a specific and pragmatic course of action to achieve a strong security posture. This includes scoping and prioritizing work, determining what levels of investment and risk we should take on given our scale and capacity, contributing to job descriptions and hiring plans for the next team members, and building relationships across teams and with company leadership to effectively communicate and advocate for these goals.
• Respond To Incidents: Respond promptly to security incidents, collaborate with engineers on-call, and provide detailed post-event analyses. Evaluate the applicability of emergent security concerns through risk rating and assessment (such as OWASP).
• Improve Security Architecture: In a leadership capacity with the Engineering team, identify, design, and implement technologies to enhance security automation, during the software development lifecycle, within the product itself, and in cloud hosting environments.
• Set Security Standards: Lead efforts to design and implement secure coding standards and best practices across the development lifecycle, with an eye toward automation, including effective AI tools
• Share Expertise: Stay up to date on the latest security threats, vulnerabilities, and industry best practices, and ensure the integration of this knowledge into Binti's security strategies. Act as our company's expert on application security matters, providing mentorship to development teams and fostering a scalable, security-aware culture.
• Represent the Security team to other Binti teams and Binti leadership: Act as a steward of the Binti values. Tell the story of the security team, advertising its good work, and celebrating wins.

SAMPLE PROJECTS

• Review and implement security patches and hotfixes in production applications.
• Implement streamlined feedback of security recommendations for new products before launch into the Binti platform.
• Improve the security of documents and files uploaded and downloaded on the platform.
• Analysis, scoping, and implementation of security improvements to better protect Personal Health Information and Personally Identifiable Information stored within the product.
• Improve notification and escalation of security concerns from third parties (such as security researchers).
• Integration of new and existing logging and alerting systems to centralized and/or decentralized Security Incident and Event Management (SIEM) platforms.
• Assess backlog of application-specific security tickets and provide recommendations for remediation and
• Support evidence collection for compliance frameworks such as SOC 2 Type II and HIPAA.
• In partnership with a vendor, stand up a bug bounty program and drive engagement from external security researchers
• Drive the timely completion of critical security tasks (e.g. incident remediation follow-ups), sometimes implementing personally, and sometimes overseeing the implementation by full-stack engineers.

WHAT WE LOVE ABOUT YOU

• Technical Expertise: Proven experience as an Application Security Engineer or in a similar role. Strong technical background with experience in full-stack development, cloud computing, and scalable architecture. Proficiency in one or more OOP coding languages (Ruby, Python, Java, etc) is strongly preferred.
• Deep Understanding: Strong understanding and knowledge of web application security principles, common vulnerabilities, and best practices.
• Collaborative Approach: Excellent communication skills with the ability to simply convey complex security concepts to non-technical stakeholders and clearly articulate the relative risks and trade-offs.
• Product Orientation: Focused on keeping the company secure while ensuring the team can still ship products and deliver value to customers and users.
• Decisions That Scale: Experience cultivating a security-aware development culture that scales through mentorship and automation.
• Passion for Social Impact: A genuine interest in leveraging technology to address social challenges, with a strong sense of purpose in improving outcomes for children in need.
• Drive urgency with intention: A sense of pragmatism, resourcefulness, and focus to advance our security goals with a relatively small team.
• Big plus - prior experience with GovTech or FedRamp

Final selected candidates who receive a conditional offer of employment may be required to undergo a background and reference check, which could include verification of employment and education, criminal history review, and, where applicable, fingerprinting.

BENEFITS & PERKS

• An above-market compensation package (salary + equity)
• Excellent medical, dental, vision, and life insurance - 99% of insurance premiums covered for you + your dependents
• Flexible vacation time to promote a healthy work-life blend
• 13 paid holidays; 11 federally observed holidays (including Juneteenth), plus Election Day and the day after Thanksgiving
• 16 weeks of paid parental bonding leave for the arrival of a newborn or newly placed infant
• Sick/mental health time separate from vacation days (accrue up to a cap of 80 hours)
• 4 weeks of sabbatical after 4 years of service at the company
• 401k, Commuter benefits, FSA, and DCFSA with administration paid for
• $5,000 annual bonus for employees who volunteer as a CASA (court-appointed special advocates)
• $2,500 annual reimbursement for ongoing learning and development, with opportunities to attend trainings/conferences, on-site speaker series, and lunch and learns
• $300 reimbursement for initial office setup
• $50 a month effective work reimbursement to cover internet, electricity, office setup costs, or lunch/snacks with coworkers
• Paid jury duty

At Binti, we celebrate having a diverse team and believe our differences make us stronger. Binti is proud to be an equal-opportunity workplace and is an equal-opportunity employer. We welcome all qualified applicants to apply without regard to race, color, religion, gender, sexual orientation, age, national origin, disability, or protected Veteran status.