Staff Application Security Engineer

HoneyBook is the leading AI-powered business management platform for service-based business owners. Designed to enhance—not replace—independent professionals, HoneyBook’s AI-powered tools help businesses attract leads, connect with clients, book projects, and manage payments more efficiently. With AI seamlessly integrated into every workflow, entrepreneurs can focus on their craft while scaling their businesses with confidence. Since its founding in 2013, HoneyBook has powered over 25 million client relationships and processed more than $12 billion in transactions, helping independent businesses grow faster and smarter.

Our culture is built on five core values that inform everything we do. We encourage collaboration, feedback, ownership, and have a growth mindset. We know experience comes in many forms, some visible on your resume, others not. No one candidate will be a 100% perfect match to our description, so if you thrive in a fast-paced, intellectually-charged environment and have similar experience to what we are looking for, we encourage you to apply.

We’re looking for a Staff Application Security Engineer to join our IT and Security team. This role is ideal for a hands-on security professional who is passionate about working closely with engineering teams to design secure software, fix vulnerabilities, and promote a culture of security across the organization.

You’ll be responsible for shaping and owning our Secure Software Development Lifecycle (SSDLC), managing security tooling, and leading the assessment of application and API security across HoneyBook’s products and services.

Here are a few of the things you will do:

Collaborate directly with engineering teams to define remediation strategies, track implementation, and validate security fixes across the application stack.
Design, implement, and drive SSDLC practices across the company—from security design reviews and threat modeling to proactive triaging in production.
Conduct threat modeling, architecture reviews, and security assessments of cloud-based applications and services, including those leveraging emerging technologies.
Manage HoneyBook’s bug bounty program, validating reports and coordinating response and resolution.
Own and operate our suite of AppSec tools including SAST, ASPM, and other security scanners—triaging findings, prioritizing issues, and guiding engineering toward resolution.
Review source code and applications to identify vulnerabilities and collaborate with dev teams on remediation.
Act as the point of contact for findings from penetration tests, automated scanners, and external assessments, helping manage triage and ensure timely fixes.
Continuously research and stay current with application security trends, frameworks, vulnerabilities, and best practices.
Promote a strong security culture across HoneyBook by educating and enabling engineers, architects, and DevOps teams to build secure software from the ground up.

Interested? Here's what we're looking for:

5+ years of experience in Application Security, Product Security, or Secure Software Development.
Proven experience working with modern web application stacks, cloud-native architectures, APIs, and CI/CD pipelines.
Strong understanding of application security principles, common vulnerabilities (OWASP Top 10), and secure coding best practices.
Experience with security tools like Burp Suite, Oligo, VeraCode, SonarQube, or similar (SAST/DAST/IAST/API tools).
Hands-on experience with code review and static analysis for security issues across languages like JavaScript, Python, Go, or similar.
Familiarity with cloud platforms (AWS preferred) and infrastructure-as-code security.
Experience managing bug bounty programs and third-party testing engagements.
Excellent communication skills—able to translate security concepts into developer-friendly language and work cross-functionally across teams.
Ability to balance pragmatic risk mitigation with product velocity, business needs, and user experience.
A growth mindset and a desire to mentor others and continuously improve HoneyBook’s security posture.

Certifications like OSCP, GWAPT, CISSP, or CSSLP are a plus but not required.

The good stuff:

Mission-driven: You'll be joining more than just another startup - our members are at the heart of everything we do.
Impact: We move quickly and encourage every employee to push the envelope. Our best ideas come from out-of-the-box thinking and innovation; be ready to fail fast and often!
Compensation: We offer a competitive salary + meaningful equity based on merit.
Benefits + Perks: From wellness programs to exceptional family leave policies, the health and happiness of our employees is foremost.