Senior Application & Product Security Engineer

About

We are seeking a Senior Application Security Engineer to build and drive our application and product security program from the ground up. As a software development company specializing in language learning, our platform is central to our business, and securing it is critical to maintaining user trust, product reliability, and operational resilience. This is the first dedicated application security position in the organization. You'll have the opportunity to shape how we approach security across our products and platform from day one. Reporting to the Director of Information Security and internal IT, you will have the ownership and visibility to build a program that scales with the company.

Responsibilities

• Build, maintain, and continuously evolve the application and product security program
• Partner with engineering, product, and platform teams to embed security into the development lifecycle, improve our cloud security posture, and identify risks early with pragmatic solutions
• Lead threat modeling throughout the development lifecycle to identify and mitigate risks in new features, architectural changes, and existing systems
• Define and implement secure coding standards, conduct and guide secure code reviews, deliver developer training and best practices
• Design and manage security automation across the SDLC, including automated scanning, security gates in CI/CD pipelines, policy-as-code enforcement, and software supply chain security
• Own the vulnerability lifecycle, detection, triage, prioritization, and remediation, while monitoring emerging threats and industry trends relevant to our technology stack
• Lead application-layer incident response when security issues arise
• Drive secure AI adoption across the organization by working closely with engineering teams to establish a framework for the responsible and secure use of AI deployments, AI agents, and MCP servers, ensuring security keeps pace with evolving AI capabilities and integrations

Requirements

• Strong experience in application security, product security, or software security engineering roles
• Solid understanding of modern software development practices, cloud-native architectures (APIs, containers, serverless), and cloud platforms (e.g., AWS, GCP, Azure)
• Hands-on experience with secure coding principles, common vulnerability classes (e.g., OWASP Top 10), and secure code reviews
• Proficiency with security tooling across the SDLC; SAST, DAST, SCA, CSPM, secrets scanning, and CI/CD security automation
• Experience performing threat modeling and delivering actionable recommendations
• Familiarity with securing AI/ML systems, LLM integrations, or agentic AI architectures
• Strong communication skills with the ability to partner with engineers, contribute to architectural discussions, and explain security concepts to non-technical stakeholders
• Background as a software engineer or developer
• Experience with Infrastructure as Code (e.g., Terraform) and CI/CD automation (e.g., GitHub Actions)
• Experience in a product-led or agile development environment
• Knowledge of regulatory or certification frameworks (e.g., ISO 27001)
• We are a learning company, inside and out, and we encourage you to apply even if you do not fit all the technical requirements - all candidates are assessed based on skills, qualifications and on our business need

Benefits

• 30 vacation days and flexible working hours
• BVG card or Swapfiets bike
• Jobbatical and Sabbatical options
• Many internal & external learning opportunities to choose from
• A yearly Learning & Development budget
• Visa and relocation assistance
• Full access to Babbel & Babbel Live classes
• Modern office in the heart of buzzing Berlin equipped with a family, music, faith and nap room
• Various internal communities to be part of including the Femgineers, DEI Ambassadors, Accessibility & Disability Group and more