Application Security Engineer

· Remote

Location

Remote

Type

Full Time

Job Description

OpendoorJobs
Application Security Engineer

Application Security Engineer

Reposted 20 Hours Ago
Be an Early Applicant
Seattle WA USA
Hybrid
195K-244K Annually
Senior level
eCommerce • Fintech • Real Estate • Software • PropTech
Come home to your dream job
The Role
Own application-layer risk detection and remediation across consumer flows GraphQL APIs and internal tools. Build and operate AppSec tooling manage HackerOne run threat modeling and security design reviews create CI guardrails automate vulnerability triage with AI agents and lead offensive testing and red team exercises to harden authentication authorization and cloud/container security.
Summary Generated by Built In

About Opendoor

At Opendoor our mission is to tilt the world in favor of homeowners and those who aim to become one. Homeownership matters. It's how people build wealth stability and community. It's how families put down roots how neighborhoods strengthen how the future gets built. We're building the modern system of homeownership giving people the freedom to buy and sell on their own terms. We’ve built an end-to-end online experience that has already helped thousands of people and we’re just getting started.

About The Role

Our Security Engineering team builds intelligent systems that protect Opendoor and our customers while enabling unprecedented engineering velocity. We apply software engineering and AI to solve security problems across product infrastructure and operations by building guardrails where they matter not gates where they don't.

As our Application Security Engineer you'll own how we find prioritize and drive down application-layer risk across the consumer flows that put cash offers in homeowners’ hands the GraphQL APIs that power our products and the AI agents and vibe-coded tools our engineers ship every week. The job is to make it safe to build fast not to slow things down.


What You'll Do

● Define build and operate Opendoor’s application vulnerability identification capability - the tooling triage workflow and remediation techniques across our consumer products internal admin tools and GraphQL API powering home acquisition resale mortgage title and escrow. 

● Assess rationalize and own our AppSec tooling stack - static and dynamic security testing software supply chain risk detection and secrets scanning and integrate findings into developer workflows where engineers already live (GitHub Linear Slack).

● Own and mature our HackerOne program: tightening the triage workflow improving signal to noise on incoming reports strengthening researcher relationships and closing the loop with engineering teams so root causes get addressed quickly. 

● Lead threat modeling and security design reviews for new services APIs and mobile features. Turn the patterns you see into rules lint checks and CI guardrails so the next team doesn't make the same mistake.

● Build AI agents and automated workflows that triage vulnerability reports validate exploit reproductions and draft remediation pull requests replacing manual security review with high-signal automation.

● Partner with engineering teams to harden authentication authorization and input validation across our codebase and production services including the GraphQL gateway (Apollo) and our Kubernetes workloads - while driving a shift-left strategy that catches vulnerabilities before they ship.

● Build Opendoor’s offensive security capability. Scope and run internal security testing red team exercises and adversarial analysis of our highest-risk flows ensuring findings directly harden detection and response.  

● Set the bar for what "secure by default" looks like for AI-maximalist engineering including vibe-coded apps MCP servers and agent-driven workflows that touch production data.

● Build Opendoor’s security culture by establishing secure design standards embedding into engineering team rituals and developing a strong security mindset - creating a foundation for engineers to think like attackers without slowing down. 


Tech Stack

● Languages: Go Python TypeScript Ruby Terraform

● Cloud: AWS GCP Azure Kubernetes Apollo GraphQL

● AppSec Tooling: GitHub Advanced Security (CodeQL Dependabot secret scanning) Semgrep HackerOne Burp Suite Cloudflare WAF

● AI Tooling: Claude OpenAI various agent frameworks MCP — used heavily for vulnerability triage exploit verification and remediation drafting


What You'll Need

● Deep conviction that AI and automation should eliminate manual work and increase the team's impact and a track record to prove it. You’ve built agentic systems that replaced reactive security work not just configured off-the-shelf tools.

● Comfort operating with high autonomy in ambiguous environments. You’ve defined what “good” looks like in a domain where no playbook existed you’re energized by that not unsettled by it. 

● Business enablement security mindset. You measure success by business impact and informed risk-taking not by tickets opened or pen test reports filed.

● 5+ years of application security or software engineering experience with a security focus with strong skills in at least one of Python Go TypeScript or Ruby and the ability to read and write code across the others.

● Hands-on expertise across the security risk detection toolchain with real deployment experience using GitHub Advanced Security Semgrep or equivalent.

● Strong grasp of common application and API vulnerability classes including GraphQL REST and gRPC security pitfalls - broken authorization mass assignment introspection exposure insecure direct object references.

● Practical threat modeling skills. You can take an architecture diagram and a 30-minute conversation and walk out with the three things that actually matter.

● Experience with cloud and container security on AWS and Kubernetes including identity and access management secrets management and continuous integration / continuous deployment pipeline security.

● Humility and genuine curiosity. You're as excited to learn from product engineers and enable their work as you are to break things.


Bonus Points

● Offensive security experience including pentesting API security or mobile security and/or red team operations.

● Experience running a bug bounty or coordinated disclosure program at scale.

● Mobile application security review experience (iOS and Android).

● Experience securing AI and machine learning pipelines agent frameworks or MCP-style integrations.

● OSCP OSWE or similar offensive certifications.


Location

This role is based in our downtown Miami office in-person four days per week (Monday Tuesday Thursday Friday). Candidates must be based within commuting distance of the office.

Skills Required

  • 5+ years of application security or software engineering experience with a security focus
  • Strong skills in at least one of Python Go TypeScript or Ruby and ability to read and write code across others
  • Hands-on deployment experience with security risk detection tools such as GitHub Advanced Security or Semgrep
  • Practical threat modeling skills and ability to perform security design reviews
  • Strong understanding of application and API vulnerability classes (GraphQL REST gRPC) including broken authorization and insecure direct object references
  • Experience with cloud and container security on AWS and Kubernetes including IAM secrets management and CI/CD pipeline security
  • Track record building AI/automation/agentic systems to automate security workflows (vulnerability triage exploit verification remediation drafting)
  • Comfort operating with high autonomy in ambiguous environments and defining security standards where no playbook exists
  • Business enablement mindset; measure success by business impact and informed risk-taking
  • Humility genuine curiosity and ability to collaborate with product and engineering teams
  • Based within commuting distance of downtown Miami office and available to work in-person four days per week
  • Offensive security experience (pentesting API/mobile security) and bug bounty/red team program experience
  • Experience securing AI/ML pipelines agent frameworks or MCP-style integrations
  • Mobile application security review experience (iOS and Android)
  • OSCP OSWE or similar offensive security certifications

What the Team is Saying

Daniel
Maggie
Sherry

Opendoor Compensation & Benefits Highlights

  • Healthcare StrengthMedical dental and vision insurance are standard alongside mental‑health resources life and disability coverage and FSA options. These elements indicate a comprehensive health and wellness package.
  • Parental & Family SupportParental leave fertility and adoption assistance and family medical leave are highlighted. Paid volunteer time and flexible work arrangements further support family needs.
  • Equity Value & AccessibilityEquity grants are offered and an active Employee Stock Purchase Plan provides discounted share access. Role descriptions referencing ESPP administration reinforce that these ownership programs are in operation.

Opendoor Insights

Am I A Good Fit?
beta
Expert contributor network
Get Personalized Job Insights.
Our AI-powered fit analysis compares your resume with a job listing so you know if your skills & experience align.

The Company
HQ: San Francisco CA
1600 Employees
Year Founded: 2014

What We Do

Founded in 2014 Opendoor’s mission is to empower everyone with the freedom to move. We believe the traditional real estate process is broken and confusing. It often comes with unexpected costs the added burden of coordinating multiple third parties and the uncertainty of a transaction falling through. Our goal is simple: build a digital end-to-end customer experience that makes buying and selling a home simple certain and fast. We have assembled a dedicated team with diverse backgrounds and talents across engineering operations design operations mortgage finance legal and more to deliver strong results. More than 85000 customers have selected us as a trusted partner in handling one of their largest financial transactions.

Why Work With Us

We’re on a mission to power life’s progress one move at a time

Gallery

Opendoor Offices

Hybrid Workspace

Employees engage in a combination of remote and on-site work.

Typical time on-site: Flexible
Company Office Image
HQSan Francisco CA
Company Office Image
Atlanta GA
Company Office Image
Bengaluru IN
Company Office Image
Chennai IN
Company Office Image
Dallas TX
Company Office Image
Hyderabad IN
Portland OR
Raleigh NC
Seattle WA
Tempe AZ
Learn more

Similar Jobs

Opendoor

Security Engineer

eCommerce • Fintech • Real Estate • Software • PropTech
Hybrid
Seattle WA USA
1600 Employees
195K-244K Annually

Opendoor

Machine Learning Engineer

eCommerce • Fintech • Real Estate • Software • PropTech
Hybrid
Seattle WA USA
1600 Employees
170K-233K Annually

Opendoor

Machine Learning Engineer

eCommerce • Fintech • Real Estate • Software • PropTech
Hybrid
Seattle WA USA
1600 Employees
205K-281K Annually

Opendoor

Sr. Manager Performance Marketing

eCommerce • Fintech • Real Estate • Software • PropTech
Hybrid
4 Locations
1600 Employees
Apply Now

Date Posted

07/02/2026

Views

0

Back to Job Listings Add To Job List Company Profile View Company Reviews
Neutral
Subjectivity Score: 0
142,000+ Jobs Tracked
12,400+ Companies
1,930 Categories