Job PurposeAs an Application Security Engineer at Luciq, you will help shape and build our application security program alongside the wider team. This is a hands-on, high-ownership role where you will work closely with product and development teams across the full software development lifecycle — reviewing designs before code is written, identifying risks as features take shape, and ensuring security is embedded into how we build and ship software, not bolted on after the fact. Our stack runs on Ruby on Rails, Go, and Python, deployed on AWS with Terraform managing infrastructure as code and Jenkins powering CI/CD. You will read and review code in these languages — not just rely on scanner output — and work with AWS security services (SecurityHub, Inspector, GuardDuty, CloudTrail, CloudFront) to provide visibility and protection across our infrastructure. The role spans web applications, APIs, our mobile SDK (iOS and Android), cloud, and CI/CD — partnering with engineers, PMs, Platform, and the Security team to make the secure path the default path. This role can be filled at mid-level with a clear growth path to senior-level as you grow into shaping our application security program, or at senior-level if you're already operating at that scope.You will join a lean Security team, which entails stepping beyond core AppSec for incident triage, addressing customer security questionnaires, or supporting cross-functional cloud and compliance reviews. We value this variety as a core facet of the role; if you are seeking hyper-specialized work restricted strictly to application security, this may not be the right fit.Job ResponsibilitiesSecure Design & Code ReviewRun and lead threat modeling sessions with product and engineering teams during feature design. This is a hands-on role with expectations to deliver fixes in the product as needed while enabling other engineers.Conduct security code reviews and architecture reviews across web applications, APIs, and services in Ruby, Go, and PythonLeverage AI and make sure that we enable engineers to adhere to security acceptance criteria. Provide guidance to engineers on secure design as we iterate and build the product.Vulnerability Management Validate, triage, and drive remediation of vulnerabilities — partner with engineering teams across the full lifecycle from discovery through SLA supportCoordinate with engineering teams on fix verification and root-cause preventionSecurity Automation in CI/CD Build and maintain automated security testing in CI/CD — SAST, SCA, secret scanningTune tooling for signal over noise; integrate findings into developer workflowsOperate secret-scanning and leaked-credential response workflowsCloud & Infrastructure Security Support cloud security reviews — IAM policies, network segmentation, container/Kubernetes configurations, and Terraform policy-as-codeWork with AWS security services (SecurityHub, Inspector, GuardDuty, CloudTrail, CloudFront) to maintain visibility and detection across our infrastructureSupply Chain & Build Security Own dependency risk via SCA, lockfiles, and pinningDrive CI/CD pipeline hardening — build runners, OIDC-to-cloud, artifact signing, SBOM standardsCross-functional Security Enablement Develop secure coding guidelines and reusable patterns that make the secure path the defaultDrive S-SDLC adoption across engineering teamsReview security posture of our mobile SDK across iOS and Android — data handling, transport security, local storage, IPC, encryption, third-party dependency risk, and SDK consumer-facing security defaultsAssess security risks in AI/LLM integrations — prompt injection, insecure output handling, trust boundaries in agentic architecturesSupport compliance initiatives (SOC 2, ISO 27001) — translate control requirements into engineering practices and assist with audit evidence collectionUse AI tooling actively in your own workflow AI-assisted code review, threat modeling drafts, vulnerability research, and security artifact generation and help shape how the rest of engineering uses AI safelyJob RequirementsMust-HavesExperience: 3-6 years in application security, or security engineeringEducation: Bachelor's degree in Computer Science, Information Security, or equivalent practical experienceSecure code review in at least one of: Python, Ruby, Go — can read code and reason about vulnerabilities, not rely on scanner outputOWASP Top 10 (Web and API) as root-cause patterns, not a memorized checklist — including SSRF, insecure deserialization, injection classes, and access-control flawsThreat modeling: practical experience with STRIDE and data flow diagrams; can lead a session with a product team and produce actionable outputAuth and identity: working depth in session management, RBAC/ABAC modelsCI/CD security automation: hands-on experience integrating SAST, SCA, and secret scanning into pipelines and tuning for actionable signalProactive and ownership-driven — does not wait to be told what to secureComfortable working cross-functionally with product engineers, platform engineers, and the wider teamStrong analytical and problem-solving abilitiesFluent in English, with strong written and verbal communicationCommunication: clear written and verbal communication can explain a vulnerability to an engineer, a PM, or a VPStrong PlusWe expect strong candidates to have some of these not all. The more, the better.Mobile SDK security: OWASP Mobile Top 10 and MASVS/MASTG; Android (Kotlin) or iOS (Swift); experience with Frida, objection, or MobSFAWS security service depth: SecurityHub, Inspector, GuardDuty, CloudTrail, CloudFront beyond IAMContainer and Kubernetes security fundamentalsSupply chain depth: SLSA framework, SBOMAI/LLM security: prompt injection mitigations, OWASP LLM Top 10, securing agentic architectures and tool-use boundariesFamiliarity with ISO 27001 or SOC 2.Nice to HaveTerraform and policy-as-code: tfsec, Checkov, OPA/ConftestExperience building or bootstrapping a security programBug bounty participation, published CVEs, or documented security researchHands-on certifications: OSCP, OSWE, eMAPTIncident response experience — triage, containment, root-cause analysisRed teaming or purple teaming experience