Application Security Engineer

About Opendoor

At Opendoor our mission is to tilt the world in favor of homeowners and those who aim to become one. Homeownership matters. It's how people build wealth, stability, and community. It's how families put down roots, how neighborhoods strengthen, how the future gets built. We're building the modern system of homeownership giving people the freedom to buy and sell on their own terms. We’ve built an end-to-end online experience that has already helped thousands of people and we’re just getting started.

About the Role

At Opendoor our goal is to build the biggest, most trusted housing platform and set a new

standard for how people move. We've combined our deep, proprietary data and operational

expertise with the power of artificial intelligence to make online home selling and buying

radically simple.

Our Security Engineering team is building intelligent systems that protect Opendoor and our

customers while enabling unprecedented engineering velocity. We apply software engineering

and AI to solve security problems across product, infrastructure, and operations by building

guardrails where they matter, not gates where they don't.

As our Application Security Engineer, you'll own the security of everything we ship — from the

consumer flows that put cash offers in homeowners' hands, to the GraphQL APIs that power our

products, to the AI agents and vibe-coded tools our engineers and operators build every week.

You'll be the technical owner of how we find, fix, and prevent application-layer risk at Opendoor

scale.

What You'll Do

● Find and fix application vulnerabilities across our consumer products, internal admin

tools, and the GraphQL APIs powering home acquisition, resale, mortgage, title, and

escrow.

● Own and evolve our AppSec tooling stack — SAST/DAST, SCA and secrets scanning —

and integrate findings into developer workflows where engineers already live (pull

requests, Linear, Slack).

● Run our HackerOne program: triage incoming reports, validate exploits, route fixes to

product engineering teams, and determine root causes so we can stamp them out at the

source.

● Lead threat modeling and security design reviews for new services, APIs, and mobile

features — and turn the patterns you see into rules, lint checks, and CI guardrails so the

next team doesn't make the same mistake.

● Build AI agents and automated workflows that triage vulnerability reports, validate exploit

reproductions, and draft remediation PRs — replacing manual security review with

high-signal automation.

● Partner with engineering teams to harden authentication, authorization, and input

validation across our Ruby monolith and Go/Python/TypeScript services, including the

GraphQL gateway (Apollo) and our EKS workloads - while driving a shift-left strategy to

identify vulnerabilities earlier in the development lifecycle.

● Stand up a credible offensive security capability — internal pentesting, red team

exercises, and adversarial analysis of high-risk flows (wire fraud, agent unlocks, identity

verification) -- leveraging purple team exercises to ensure offensive findings are directly

translated into hardened detection and response capabilities.

● Set the bar for what "secure by default" looks like for AI-maximalist engineering,

including vibe-coded apps, MCP servers, and agent-driven workflows that touch

production data.

● Mentor engineers across the company in secure design, code review, and how to think

like an attacker

Tech Stack

● Languages: Go, Python, TypeScript, Ruby, Terraform

● Cloud: AWS, GCP, Azure, Kubernetes / EKS

● AppSec Tooling: GitHub Advanced Security (CodeQL, Dependabot, secret scanning),

Semgrep, HackerOne, Burp Suite, Cloudflare WAF

● AI Tooling: Claude, OpenAI, various agent frameworks, MCP — used heavily for vuln

triage, exploit verification, and remediation drafting

What You'll Need

● Deep conviction that AI and automation should eliminate manual work humans shouldn't

be doing anyway. You're excited to replace developer toil and reactive vuln triage with

automated systems, guardrails, and agents.

● Business enablement security mindset — you measure success by business impact and

informed risk-taking, not by tickets opened or pen test reports filed.

● 5+ years of application security or software engineering experience with a security focus,

with strong skills in at least one of Python, Go, TypeScript, or Ruby — and the ability to

read and write code across the others.

● Hands-on expertise across the SAST/DAST/SCA toolchain, with real deployment

experience using GitHub Advanced Security, Semgrep, or equivalent.

● Strong grasp of common application vulnerability classes (OWASP Top 10, OWASP API

Security Top 10), with particular fluency in GraphQL, REST, and gRPC security pitfalls —

broken authorization, mass assignment, introspection exposure, IDORs.

● Practical threat modeling skills — you can take an architecture diagram and a 30-minute

conversation and walk out with the three things that actually matter.

● Experience with cloud and container security on AWS and Kubernetes, including IAM,

secrets management, and CI/CD pipeline security.

● Humility and genuine curiosity — you're as excited to learn from product engineers and

enable their work as you are to break things.

Bonus Points For

● Offensive security experience — pentesting web apps, APIs, or mobile, and/or red team

operations.

● Experience running a bug bounty or coordinated disclosure program at scale.

● Mobile application security review experience (iOS and Android).

● Experience securing AI/ML pipelines, agent frameworks, or MCP-style integrations.

● OSCP, OSWE, or similar offensive certifications.

#LI-RO