Remote Security Risk Assessment Jobs in Oregon (NOW HIRING)

The Team:

Upstart's Application Security team is passionate in bringing progressive approaches in securing our products. We believe that security should empower innovation, move at the speed of business, and have safety by design as core principles. Our team's mission is to ensure the safety of our core product platforms, enterprise, and manage threats to Upstart. We approach our efforts through automation, strong collaboration with our partner teams, and maintaining a positive experience for Upstarters.. 

As the Principal Application Security Engineer at Upstart, you will be expected to lead cross-functional and cross-organizational discussions and outcomes around threat modeling, application and infrastructure security. You will be expected to deeply understand the business verticals and product needs and influence them to build highly secure systems and platforms. You will have a direct hand in shaping the strategic security posture and roadmap for Upstart and should be a  well-rounded technologist and security practitioner.

How you'll make an impact:

• Define and drive Upstart's application security strategy, aligning secure-by-design principles with business priorities, regulatory expectations, and our AI-driven product roadmap.
• Lead cross-functional security architecture reviews for critical initiatives, influencing engineering, platform, data, and infrastructure decisions to reduce systemic risk early in the SDLC.
• Establish and scale a robust threat modeling program for high-risk systems, including customer-facing applications, lending workflows, and ML/AI pipelines, translating findings into durable engineering standards and controls.
• Design and standardize application security guardrails across the SDLC, including secure coding practices, automated testing (SAST/DAST/SCA), CI/CD protections, and secrets management.
• Partner with Infrastructure and Cloud teams to strengthen the security posture of cloud-native and distributed systems, ensuring defense-in-depth across application and infrastructure layers.
• Identify and reduce internal and external attack surface through automation and platform-level solutions, prioritizing long-term risk reduction over point-in-time remediation.
• Serve as a senior technical authority during high-severity incidents, driving root cause analysis and durable architectural improvements.
• Elevate security maturity across the organization by mentoring engineers, influencing leadership through clear risk metrics, and fostering a culture where security enables innovation.

What we're looking for:
Minimum requirements:

• 9+ years of experience in security engineering, with at least 5 years focused on application security
• Demonstrated experience leading security architecture reviews and threat modeling for complex, customer-facing production systems
• Experience in Java, Python or Ruby development.
• Experience designing and implementing application security controls across the SDLC, including secure coding standards, API Security, SAST/DAST/SCA, CI/CD security, and secrets management
• Demonstrable track record as an influential leader, delivering security solutions with multiple stakeholder groups
• Experience managing multiple and simultaneous, significant information security initiatives and programs
• Experience developing code and building services to enhance unique security operational needs 
• Experience with advanced threat modeling techniques and risk assessment

Preferred qualifications:

• 10+ years of experience spanning across multiple security and engineering domains in a cloud-native and/or distributed systems environment
• Experience building or scaling an application security program, including defining metrics, maturity models, and risk-based prioritization frameworks
• Familiarity with security considerations in modern frontend frameworks, APIs (REST/GraphQL), and microservices architectures.
• Experience partnering with Legal, Risk, Compliance, and Audit teams to operationalize security controls in regulated environments
• Security certifications such as CISSP, CCSP, AWS Security Specialty, or equivalent practical expertise

Position Location - This role is available in the following locations: San Mateo, Columbus, Austin, Remote 

Time Zone Requirements - This team operates on the East/West Coast time zones.

Travel Requirements - This team has regular on-site collaboration sessions. These occur 3-4 days per Quarter at one of our office locations or some other off-site location determined by your team/manager. If you need to travel to make these meetups, Upstart will cover all travel related expenses.

#LI-REMOTE

#LI-MidSenior