Staff Application Security Engineer
Listed on 2026-07-13
-
IT/Tech
Cybersecurity, Systems Engineer
It’s rare that a new asset class is born. Nevertheless, we’re witnessing exactly that with the rise of crypto. Over just the last few years, since Bitwise was founded, crypto has evolved from an embryonic $50B market to a growing $3T+ juggernaut. At Bitwise, we believe that crypto has reached a turning point, and is headed north of $10T over the next few years.
This is an exciting moment for Bitwise as a firm. For eight years, we have established a track record of excellence managing a broad suite of index and active solutions across ETFs, separately managed accounts, private funds, institutional staking, and hedge fund strategies. This year, we crossed $15B in client assets and are growing quickly. Thousands of financial advisors, family offices, and institutional investors partner with Bitwise to understand and access the opportunities in crypto.
We are known for providing unparalleled client support through expert research and commentary, a nationwide client team of crypto specialists, and deep access to the crypto ecosystem.
Currently, Bitwise is a close-knit team of 100+ global professionals. Think of us as a mix of an asset manager and a tech start-up. We’re backed by some of the most accomplished investors in venture capital and veterans of the financial services world. We love working together, we love what we do, and we’re excited about what’s ahead.
About the RoleOur engineering organization is growing, and with that growth comes an expanding application and infrastructure footprint that requires dedicated application security ownership. This role exists to build that function from the ground up.
As our first dedicated Staff Application Security Engineer, you will own the design and implementation of our application security program, from SAST and DAST tooling to secure SDLC practices, threat modeling, dependency security, and penetration testing coordination. You will work directly with engineering teams across a cloud-based environment securing both customer-facing products and internal systems.
You will be reporting directly to the Head of Security and will have the autonomy and organizational support to build an application security program that is practical, scalable, and aligned to the risk profile of a company operating in the digital asset space.
Primary Responsibilities- Static & Dynamic Application Security Testing (SAST / DAST)
- Own the full implementation of SAST tooling across all codebases and CI/CD pipelines
- Own the full implementation of DAST tooling across all customer-facing and internal applications
- Establish baseline findings, prioritize remediation, and work directly with engineering to resolve issues
- Maintain and tune tooling over time as the codebase and attack surface evolve
- Secure SDLC & Code Integrity
- Define and enforce a secure software development lifecycle across engineering teams
- Establish secure release processes including code signing and build integrity verification
- Develop and maintain security standards, guidelines, and secure coding practices
- Integrate security checkpoints throughout the development pipeline without creating unnecessary friction for engineering
- Threat Modeling
- Lead threat modeling exercises for new infrastructure designs, features, and system changes
- Ensure all customer-facing and internal applications are fully documented and threat modeled
- Maintain a living inventory of the company’s attack surface and ensure it reflects current architecture
- Dependency & Supply Chain Security
- Implement and manage dependency scanning across all projects
- Enforce version pinning policies to reduce exposure from uncontrolled dependency updates
- Deploy and manage supply chain security tooling (e.g., Socket.dev or equivalent) to monitor for malicious or compromised dependencies
- Establish a process for ongoing dependency review and remediation
- Penetration Testing
- Define and maintain a penetration testing program covering all surface areas — applications, APIs, internal tooling, and infrastructure
- Scope, schedule, and manage third-party penetration testing engagements
- Track findings through to remediation and validate fixes
- Secrets Management
- Design and implement a secrets…
(If this job is in fact in your jurisdiction, then you may be using a Proxy or VPN to access this site, and to progress further, you should change your connectivity to another mobile device or PC).