Senior Application Security Engineer at onit

About Onit We're redefining the future of legal operations through the power of AI. Our cutting-edge platform streamlines enterprise legal management, matter management, spend management and contract lifecycle processes, transforming manual workflows into intelligent, automated solutions. We’re a team of innovators using AI at the core to help legal departments become faster, smarter, and more strategic. As we continue to grow and expand the capabilities of our new AI-centric platform, we’re looking for bold thinkers and builders who are excited to shape the next chapter of legal tech. If you're energized by meaningful work, love solving complex problems, and want to help modernize how legal teams operate, we’d love to meet you. Position Summary Onit, Inc. is looking for an Application Security Engineer to help secure our SaaS applications, APIs, and emerging AI capabilities. This is a hands-on, high-impact role where you’ll work closely with engineering and product teams to design secure systems, identify vulnerabilities, and improve how we build software. You’ll play a key role in shaping our security practices as we scale. Key Responsibilities Security Architecture & Design Reviews • Lead security reviews for application architecture and system design • Evaluate designs for: • Authentication & authorization models • Data access patterns • API exposure and trust boundaries • Provide clear, actionable guidance to engineering teams • Identify risks early and influence secure design decisions Go-Live Security Reviews & Risk Decisions • Conduct pre-production / go-live security assessments • Determine whether a feature is safe to launch and what risks must be mitigated vs accepted • Partner with engineering and product to prioritize fixes and define compensating controls • Act as a security approver / advisor for production releases Authentication, Authorization & Access Control • Design and assess: • OAuth2, OIDC, SAML implementations • RBAC / fine-grained authorization models • Identify and remediate broken access control and privilege escalation paths • Drive adoption of least privilege and secure access patterns API Security • Lead security reviews of REST, GraphQL, and event-driven APIs • Identify risks such as: • Broken Object Level Authorization (BOLA) • Injection vulnerabilities • Data leakage • Define standards for: • API authentication • Input validation • Rate limiting and abuse protection AI & Emerging Technology Security • Assess security risks in AI-powered features and systems • Evaluate threats such as: • Prompt injection • Data leakage via LLMs • Model misuse and access control gaps • Help define and implement AI security guardrails • Review architectures involving MCP (Model Context Protocol) or similar AI integration patterns Vulnerability Management & Testing • Lead vulnerability identification using Static analysis (SAST) and Dependency scanning (SCA) • Validate findings and eliminate false positives • Prioritize vulnerabilities based on exploitability and business impact • Drive remediation with engineering teams Attack Surface & Risk Assessment • Assess and map application attack surface • Identify exposed services, endpoints, and integrations • Evaluate third-party and supply chain risks • Continuously improve visibility into application risk Security Tooling & DevSecOps • Integrate and optimize security tools in CI/CD pipelines • Define security gates for builds and releases • Automate security checks where possible • Improve developer experience with secure defaults Required Skills • 10+ years of experience in Application Security, Security Engineering, or Software Engineering with a strong security focus • Proven experience performing security architecture/design reviews, as well as Go-live/production readiness security assessments, with experience with cloud platforms (AWS, GCP, Azure) preferred • Strong understanding of OWASP Top 10 and modern web vulnerabilities and secure system design and threat modeling • Experience with SAST tools (e.g., SonarQube, Checkmarx) and SCA tools (e.g., Snyk, Dependabot) • Ability to assess real-world risk and prioritize effectively in a SaaS environment • Understanding of LLM risks (prompt injection, data leakage) and AI system architecture • Exposure to securing AI features or platforms • Familiarity with MCP or similar AI integration patterns • Deep Expertise in the following: • Authentication & Authorization • OAuth2, OIDC, SAML • RBAC / ABAC / least privilege models • API Security • REST / GraphQL • Common API attack vectors (BOLA, injection, data exposure) • Application Security • Secure coding practices • Input validation, output encoding, session management Benefits & Perks That Support You: Onit offers a comprehensive total rewards package designed to support the whole employee at work and beyond: Health Coverage: Employee and immediate family members. Time Away: Flexible paid time off and 10 company paid holidays annually. Family Support: Exceptional paid leave for birth parents, non-birth parents, and caregivers.  Onit also offers surrogacy and adoption reimbursement. Income Protection: 100% employer-paid life and disability insurance. Additional Coverage Options: Voluntary benefits including hospital indemnity, critical illness, accident. Tax-Advantaged Accounts: Flexi, NPS. Community Engagement: One paid volunteer day each year to give back to the community. Our Commitment to Applicants We know that not everyone will check every box in a job description. At Onit, we value diversity, inclusion, and authenticity. If you’re excited about this role but your experience doesn’t align perfectly with every qualification, we encourage you to apply. You may be exactly who we’re looking for. Onit Values  Customer First - Customer success is our success. We deliver value, listen, and act on customer needs.  Purposeful Innovation - Innovation fuels our growth. We harness creativity to solve problems and lead with the intentions and expertise.  Win as One - Teamwork is how we win. We are accountable, act with integrity, and communicate openly.  Intentional Growth - Our people are the difference. We create an environment with compelling work, impactful contributions, and career growth.