Remote Staff App Security Engineer — Build Security Program

It’s rare that a new asset class is born. Nevertheless, we’re witnessing exactly that with the rise of crypto. Over just the last few years, since Bitwise was founded, crypto has evolved from an embryonic $50B market to a growing $3T+ juggernaut. This is an exciting moment for Bitwise as a firm. For eight years, we have established a track record of excellence managing a broad suite of index and active solutions across ETFs, separately managed accounts, private funds, institutional staking, and hedge fund strategies. This year, we crossed $15B in client assets and are growing quickly. Thousands of financial advisors, family offices, and institutional investors partner with Bitwise to understand and access the opportunities in crypto. We are known for providing unparalleled client support through expert research and commentary, a nationwide client team of crypto specialists, and deep access to the crypto ecosystem. Currently, Bitwise is a close-knit team of 100+ global professionals. Think of us as a mix of an asset manager and a tech start‑up. We’re backed by some of the most accomplished investors in venture capital and veterans of the financial services world. We love working together, we love what we do, and we’re excited about what’s ahead.

About The Role

Our engineering organization is growing, and with that growth comes an expanding application and infrastructure footprint that requires dedicated application security ownership. This role exists to build that function from the ground up. As our first dedicated Staff Application Security Engineer, you will own the design and implementation of our application security program, from SAST and DAST tooling to secure SDLC practices, threat modeling, dependency security, and penetration testing coordination. You will work directly with engineering teams across a cloud‑based environment securing both customer‑facing products and internal systems. You will be reporting directly to the Head of Security and will have the autonomy and organizational support to build an application security program that is practical, scalable, and aligned to the risk profile of a company operating in the digital asset space.

Primary Responsibilities

• Static & Dynamic Application Security Testing (SAST / DAST)
• Own the full implementation of SAST tooling across all codebases and CI/CD pipelines
• Own the full implementation of DAST tooling across all customer‑facing and internal applications
• Establish baseline findings, prioritize remediation, and work directly with engineering to resolve issues
• Maintain and tune tooling over time as the codebase and attack surface evolve
• Secure SDLC & Code Integrity
• Define and enforce a secure software development lifecycle across engineering teams
• Establish secure release processes including code signing and build integrity verification
• Develop and maintain security standards, guidelines, and secure coding practices
• Integrate security checkpoints throughout the development pipeline without creating unnecessary friction for engineering
• Threat Modeling
• Lead threat modeling exercises for new infrastructure designs, features, and system changes
• Ensure all customer‑facing and internal applications are fully documented and threat modeled
• Maintain a living inventory of the company’s attack surface and ensure it reflects current architecture
• Apply blockchain‑specific threat modeling to smart contracts, bridge infrastructure, and custody‑adjacent systems, including multi‑sig signing flows and on‑chain/off‑chain trust boundaries
• Dependency & Supply Chain Security
• Implement and manage dependency scanning across all projects
• Enforce version pinning policies to reduce exposure from uncontrolled dependency updates
• Deploy and manage supply chain security tooling (e.g., Socket.dev or equivalent) to monitor for malicious or compromised dependencies
• Establish a process for ongoing dependency review and remediation
• Penetration Testing
• Define and maintain a penetration testing program covering all surface areas — applications, APIs, internal tooling, and infrastructure
• Scope, schedule, and manage third‑party penetration testing engagements
• Track findings through to remediation and validate fixes
• Secrets Management
• Design and implement a secrets management program across cloud infrastructure and engineering workflows
• Eliminate hardcoded credentials and secrets from codebases
• Establish policies and tooling for secrets rotation, access control, and audit logging
• Fuzzing & Attack Surface Coverage
• Implement fuzz testing across applicable components, particularly APIs and input‑handling logic
• Ensure coverage gaps in the attack surface are identified, documented, and addressed systematically

Role Requirements

• 7+ years of experience in application security or a closely related discipline
• Demonstrated experience building or significantly maturing an application security program
• Deep hands‑on experience with SAST and DAST tooling implementation and management
• Strong knowledge of secure SDLC practices and CI/CD pipeline security integration
• Experience with dependency scanning and software supply chain security
• Proficiency in threat modeling methodologies (STRIDE, PASTA, or equivalent)
• Experience managing or coordinating third‑party penetration testing engagements
• Solid understanding of secrets management solutions (e.g., HashiCorp Vault, AWS Secrets Manager, or equivalent)
• Strong written and verbal communication skills — able to document findings and present risk clearly to both technical and non‑technical audiences
• Demonstrated experience securing blockchain‑connected systems, including smart contract security review, multi‑sig wallet architectures, and cross‑chain bridge protocols
• Working familiarity with common DeFi attack surfaces

What We Offer

• Compensation: $185,000 to $260,000 + Equity
• Equity compensation as a component of all offers
• Health insurance, including dental and vision plans
• Health, Dependent Care and Commuter Flexible Spending Accounts
• Paid Parental Leave
• Life insurance; short‑and long‑term disability plans
• Company‑funded 401(k) plan, no matching required
• Unlimited PTO
• 10 paid company‑wide holidays
• Company‑wide winter break for most roles
• Office spaces in San Francisco, New York, and London
• Meals and snacks provided in office
• Paid company cell phone or stipend
• Bitwise “Buddy” Program (30‑day new‑hire success program)
• Annual anniversary gifts
• Company‑wide events including annual holiday party
• Internal Women of Bitwise (WOB) group with fun events

Our Values

• Create “a ha” moments
• Move fast, with informed rationale
• Ask “What would the client want?”
• Show gratitude

Your Interview Process

• Recruiter Interview
• Hiring Manager Interview
• Work Sample Meeting
• Meeting the Team
• Executive/Founders Interview
• References
• Offer!

Bitwise is an equal opportunity employer. We are committed to building a team of people with a variety of backgrounds, perspectives, and skills. It is the policy of Bitwise to ensure equal opportunity. All candidates are considered without regard to race, color, religion, national origin, age, sex, sexual orientation, gender identity, marital status, ancestry, physical or mental disability, veteran status, or any other legally protected characteristics. Pursuant to the San Francisco Fair Chance Ordinance, we will consider for employment qualified applicants with arrest and conviction records. Please note that we do not sponsor visas for persons without work authorization in the United States. This role is for full‑time employees only (no B2B or contractors).