Job Description

About UniUni

UniUniis a late-stage last-milelogisticscompany moving millions of parcels across the United States and Canada for some of the largest e-commerce platforms in North America. Our technology is cloud-native on AWS. We hold an active ISO 27001 certification and SOC 2 Type II attestation, and security is central to how weoperateand how our customers trust us. This role reports to the Information Security Officer and is based in North America (remote with periodic travel toUniUnihubs).

About the role

• We are hiring a Staff Application Security Engineer to be the senior technical anchor for product and platform security atUniUni. You will set the bar for how we build secure software, embed security into our engineering pipelines, and harden our customer-facing products. You will spend your time shoulder-to-shoulder with engineering, notadjacent toit.

This is a hands-on role. You will write code, review code, build tooling, and lead the technically hardest work across application security,DevSecOpsand platform security, and product security. You will set standards that scale, but you will also dig into real systems to find real problems and ship real fixes.

What you'll do

• Application Security
• Lead threat modeling on new and existing services, focusing on the systems where the risk isrealand the architecture is in motion.

• Run our secure code review program, including the design of review playbooks, the hardest reviews yourself, and coaching engineers to catch issues earlier.

• Operate and tune our AppSec tooling stack across SAST, DAST, SCA, andsecretsscanning, keeping signal high and noise low.

• Own the third-party penetration testing program in partnership with the ISO, from scoping throughfindingstriage and fix verification.

• Drive standards for authentication, authorization, session management, and API security across our products, and engineer the hard parts yourself when needed.

Platform Security andDevSecOps

• Embed security controls into our CI/CDpipelinesso the secure path is the default path: pre-commit checks, build-time scans, signed artifacts, and policy-as-code gates.

• Harden our cloud workloads on AWS, including container and Kubernetes security,secretsmanagement, and runtime protections.

• Codify infrastructure securitybaselinesasIaCand policy (e.g., OPA/Conftest, AWS SCPs,Terraformguardrails) and own the rollout across the platform.
• Partner with the platform team on identity-aware access to infrastructure, including non-human identities, short-lived credentials, and privileged access patterns.

Product Security

• Engineer enterprise SSO (SAML 2.0 and OpenID Connect) into customer-facing products in support of contractual security commitments to enterprise shippers.

• Set the technical direction for API security, including authentication, authorization, rate limiting, abuse prevention, and tenant isolation.

• Drive secure-by-default patterns for data handling in our products, including encryption, key management, and access controls for customer and operational data.

• Be the senior technical voice in customer security reviews when the questions go past what a questionnaire can answer.

Across All of It

• Triage and lead response to application and platform security incidents, including root cause analysis and durable fixes.

• Mentorengineers onsecure design and securecoding, andraise the security fluency of the engineering organization through training, office hours, andexample.

• Contribute to ISO 27001 and SOC 2 evidence, control design, and audit readiness for the controls youoperate.

Qualifications

• 8+building and securing production software, with the last severalfocused onapplication security, product security, orDevSecOpsas your primary discipline.

• Deep,demonstrablesoftware engineering ability. You read code fluently across multiple languages, you write production-quality code, and engineers respect your technical judgment.

• Hands-on experience securing AWS workloads at scale, including IAM, networking,containerand Kubernetes security, andIaC(Terraform or equivalent).

• Working command of modern AppSec tooling (SAST, DAST, SCA,secretsscanning) and how to deploy it in a CI/CD pipeline without grinding delivery to a halt.

• Strong threat modeling skills anda track recordof turning models into shipped controls.

• Practical experience implementing SAML 2.0 and OpenID Connect, and a clear mental model of identity, session, and authorization design

• Experience leading the technical response to security incidents in production environments.

• Ability to influence engineers and engineering leaders without authority. You explain risk in terms that engineers act on, and you partner rather than police.

Nice to Have

• Experience inlogistics, supplychain, marketplaces, or other high-volume transactional businesses.

• Background contributing to or maintainingopen sourcesecurity tooling.

• Prior experience supporting ISO 27001 or SOC 2 control design from the engineering side.

• Offensive security background (CTFs, bug bounty, red team) that informs how you think about defense.

• Experience hardening LLM-integrated or AI-powered features in production.

Why This Role

This is a senior IC role with real scope.You will set standards that the engineering organization actually adopts because you will have built them, shipped them, and proved they work.You will report to the Information Security Officer in a security function with executive commitment, a live ISO 27001 certification, and an active SOC 2 Type II attestation, and you will have the autonomy and the mandate to makeUniUni'sproducts and platform meaningfully more secure.