Principal Application Security Engineer
Remote
Full Time
#Engineering
#Application Security
#Cyber Security
#Python
#Go
#PHP
#JavaScript
#Ruby
#Pen Testing
#AWS
#GCP
#SDLC
#Shell Scripting
Vimeo is the world's most innovative video experience platform, empowering millions of users to create high-quality video content that brings ideas to life. From independent storytellers to large-scale global enterprises, our community relies on us to host and share their work, which generates billions of views every month. As a Principal Application Security Engineer, you will play a vital role in protecting the content and data that our users entrust to us daily. You will join a collaborative environment where we prioritize security, innovation, and a supportive team culture.
Key outcomes
- Design and implement security architecture, including technical plans for cookie management, middleware development, and secure token handling.
- Conduct internal penetration testing on production and staging environments and coordinate engagements with external security firms.
- Develop internal automated security tools using languages such as Python, Go, or Bash to support our paved road initiatives.
- Perform threat modeling to identify potential vulnerabilities and provide actionable defense strategies to product and engineering teams.
- Execute code reviews to identify weaknesses early in the development process.
- Manage our bug bounty program by triaging reports and engaging with the research community.
- Configure and maintain Web Application Firewalls and rate-limiting rules to ensure system stability.
- Drive remediation efforts to reduce the mean time to resolve discovered security issues.
- Integrate automated security tooling, such as static and dynamic analysis, into our software development lifecycle.
- Lead incident response efforts, including detection, containment, and root cause analysis.
- Foster a strong security culture through developer education and cross-functional collaboration with infrastructure, compliance, and privacy teams.
Requirements
- At least 7 years of total experience in engineering, application security, or a closely related technical field.
- A minimum of 5 years of hands-on experience in software development, DevOps, or site reliability engineering.
- Strong proficiency in at least one of the following languages, with the ability to read and understand code in all of them: Python, Go, PHP, JavaScript, and Ruby.
- Expertise in application penetration testing using tools like Burp Suite or OWASP ZAP.
- Deep knowledge of modern web, mobile, and network security principles.
- Confidence working within cloud environments, specifically AWS or GCP.
- Proficiency in shell scripting and familiarity with standard SDLC tools such as Git, Jira, and Jenkins.
- Excellent communication skills with the ability to explain complex security concepts to developers.
- An upper-intermediate level of English proficiency.
- Availability to work a full-time, remote schedule that includes a daily three-hour overlap with US Eastern Time.
Preferred qualifications
- Prior professional experience specifically within application security.
- A portfolio or GitHub repository featuring security tools or scripts you have developed.
- Full-stack web development experience, particularly in building RESTful applications.
- A history of open-source vulnerability research or technical blogging.
- Familiarity with system security hardening guidelines and comprehensive SDLC principles.
Compensation
This is a full-time, remote position. We offer the flexibility of remote work as a core benefit of this role.
How to apply
If you are a puzzle solver who thrives in a collaborative team environment, we invite you to apply. Please submit your application through our careers portal to be considered for this position.



