Staff Application Security Engineer in London

About the Role: Our engineering organization is growing, and with that growth comes an expanding application and infrastructure footprint that requires dedicated application security ownership. This role exists to build that function from the ground up. As our first dedicated Staff Application Security Engineer, you will own the design and implementation of our application security program, from SAST and DAST tooling to secure SDLC practices, threat modeling, dependency security, and penetration testing coordination. You will work directly with engineering teams across a cloud‑based environment securing both customer‑facing products and internal systems. You will be reporting directly to the Head of Security and will have the autonomy and organizational support to build an application security program that is practical, scalable, and aligned to the risk profile of a company operating in the digital asset space.

Primary Responsibilities:

• Static & Dynamic Application Security Testing (SAST / DAST)
  • Own the full implementation of SAST tooling across all codebases and CI/CD pipelines.
  • Own the full implementation of DAST tooling across all customer‑facing and internal applications.
  • Establish baseline findings, prioritize remediation, and work directly with engineering to resolve issues.
  • Maintain and tune tooling over time as the codebase and attack surface evolve.
• Secure SDLC & Code Integrity
  • Define and enforce a secure software development lifecycle across engineering teams.
  • Establish secure release processes including code signing and build integrity verification.
  • Develop and maintain security standards, guidelines, and secure coding practices.
  • Integrate security checkpoints throughout the development pipeline without creating unnecessary friction for engineering.
• Threat Modeling
  • Lead threat modeling exercises for new infrastructure designs, features, and system changes.
  • Ensure all customer‑facing and internal applications are fully documented and threat modeled.
  • Maintain a living inventory of the company's attack surface and ensure it reflects current architecture.
• Dependency & Supply Chain Security
  • Implement and manage dependency scanning across all projects.
  • Enforce version pinning policies to reduce exposure from uncontrolled dependency updates.
  • Deploy and manage supply chain security tooling (e.g., Socket.dev or equivalent) to monitor for malicious or compromised dependencies.
  • Establish a process for ongoing dependency review and remediation.
• Penetration Testing
  • Define and maintain a penetration testing program covering all surface areas — applications, APIs, internal tooling, and infrastructure.
  • Scope, schedule, and manage third‑party penetration testing engagements.
  • Track findings through to remediation and validate fixes.
• Secrets Management
  • Design and implement a secrets management program across cloud infrastructure and engineering workflows.
  • Eliminate hardcoded credentials and secrets from codebases.
  • Establish policies and tooling for secrets rotation, access control, and audit logging.
• Fuzzing & Attack Surface Coverage
  • Implement fuzz testing across applicable components, particularly APIs and input‑handling logic.
  • Ensure coverage gaps in the attack surface are identified, documented, and addressed systematically.

Role Requirements:

• 7+ years of experience in application security or a closely related discipline.
• Demonstrated experience building or significantly maturing an application security program.
• Deep hands‑on experience with SAST and DAST tooling implementation and management.
• Strong knowledge of secure SDLC practices and CI/CD pipeline security integration.
• Experience with dependency scanning and software supply chain security.
• Proficiency in threat modeling methodologies (STRIDE, PASTA, or equivalent).
• Experience managing or coordinating third‑party penetration testing engagements.
• Solid understanding of secrets management solutions (e.g., HashiCorp Vault, AWS Secrets Manager, or equivalent).
• Strong written and verbal communication skills — able to document findings and present risk clearly to both technical and non‑technical audiences.

What We Offer:

• Compensation: $185,000 to $260,000 + Equity.
• Equity compensation as a component of all offers.
• Health insurance, including dental and vision plans.
• Health, Dependent Care and Commuter Flexible Spending Accounts.
• Paid Parental Leave.
• Life insurance; short‑ and long‑term disability plans.
• Company‑funded 401(k) plan, no matching required.
• Unlimited PTO.
• 10 paid company‑wide holidays.
• Company‑wide winter break for most roles.
• Office spaces in San Francisco, New York, and London.
• Meals and snacks provided in office.
• Paid company cell phone or stipend.
• Bitwise “Buddy” Program (30‑day new‑hire success program).
• Annual anniversary gifts.
• Company‑wide events including annual holiday party.
• Internal Women of Bitwise (WOB) group with fun events.

Our Values:

• Create 'a ha' moments.
• Move fast, with informed rationale.
• Ask "What would the client want?".
• Show gratitude.

Your Interview Process:

• Recruiter Interview.
• Hiring Manager Interview.
• Work Sample.
• Meeting the Team.
• Executive/Founders Interview.
• References.
• Offer!

Bitwise is an equal opportunity employer. We are committed to building a team of people with a variety of backgrounds, perspectives, and skills. It is the policy of Bitwise to ensure equal opportunity. All candidates are considered without regard to race, color, religion, national origin, age, sex, sexual orientation, gender identity, marital status, ancestry, physical or mental disability, veteran status, or any other legally protected characteristics. Pursuant to the San Francisco Fair Chance Ordinance, we will consider for employment qualified applicants with arrest and conviction records. Please note that we do not sponsor visas for persons without work authorization in the United States. This role is for full‑time employees only (no B2B or contractors). Thank you!