Opendoor Logo

Opendoor

Application Security Engineer

Reposted 3 Days Ago
Be an Early Applicant
Hybrid
Miami, FL
Senior level
Hybrid
Miami, FL
Senior level
Owner of application-layer security across consumer flows, GraphQL APIs, and AI-driven tooling. Build and operate AppSec tooling and triage, run threat modeling and security reviews, lead HackerOne and offensive testing, automate vulnerability triage and remediation with AI agents, and partner with engineering to harden authentication, authorization, and container/cloud security.
The summary above was generated by AI

About Opendoor

At Opendoor our mission is to tilt the world in favor of homeowners and those who aim to become one. Homeownership matters. It's how people build wealth, stability, and community. It's how families put down roots, how neighborhoods strengthen, how the future gets built. We're building the modern system of homeownership giving people the freedom to buy and sell on their own terms. We’ve built an end-to-end online experience that has already helped thousands of people and we’re just getting started.

About The Role

Our Security Engineering team builds intelligent systems that protect Opendoor and our customers while enabling unprecedented engineering velocity. We apply software engineering and AI to solve security problems across product, infrastructure, and operations by building guardrails where they matter, not gates where they don't.

As our Application Security Engineer, you'll own how we find, prioritize, and drive down application-layer risk across the consumer flows that put cash offers in homeowners’ hands, the GraphQL APIs that power our products, and the AI agents and vibe-coded tools our engineers ship every week. The job is to make it safe to build fast, not to slow things down.


What You'll Do

● Define, build and operate Opendoor’s application vulnerability identification capability - the tooling, triage workflow and remediation techniques across our consumer products, internal admin tools and GraphQL API powering home acquisition, resale, mortgage, title and escrow. 

● Assess, rationalize and own our AppSec tooling stack - static and dynamic security testing, software supply chain risk detection and secrets scanning and integrate findings into developer workflows where engineers already live (GitHub, Linear, Slack).

● Own and mature our HackerOne program: tightening the triage workflow, improving signal to noise on incoming reports, strengthening researcher relationships and closing the loop with engineering teams so root causes get addressed quickly. 

● Lead threat modeling and security design reviews for new services, APIs, and mobile features. Turn the patterns you see into rules, lint checks, and CI guardrails so the next team doesn't make the same mistake.

● Build AI agents and automated workflows that triage vulnerability reports, validate exploit reproductions, and draft remediation pull requests, replacing manual security review with high-signal automation.

● Partner with engineering teams to harden authentication, authorization, and input validation across our codebase and production services, including the GraphQL gateway (Apollo) and our Kubernetes workloads - while driving a shift-left strategy that catches vulnerabilities before they ship.

● Build Opendoor’s offensive security capability. Scope and run internal security testing, red team exercises and adversarial analysis of our highest-risk flows ensuring findings directly harden detection and response.  

● Set the bar for what "secure by default" looks like for AI-maximalist engineering, including vibe-coded apps, MCP servers, and agent-driven workflows that touch production data.

● Build Opendoor’s security culture by establishing secure design standards, embedding into engineering team rituals and developing a strong security mindset - creating a foundation for engineers to think like attackers without slowing down. 


Tech Stack

● Languages: Go, Python, TypeScript, Ruby, Terraform

● Cloud: AWS, GCP, Azure, Kubernetes, Apollo GraphQL

● AppSec Tooling: GitHub Advanced Security (CodeQL, Dependabot, secret scanning), Semgrep, HackerOne, Burp Suite, Cloudflare WAF

● AI Tooling: Claude, OpenAI, various agent frameworks, MCP — used heavily for vulnerability triage, exploit verification, and remediation drafting


What You'll Need

● Deep conviction that AI and automation should eliminate manual work and increase the team's impact, and a track record to prove it. You’ve built agentic systems that replaced reactive security work, not just configured off-the-shelf tools.

● Comfort operating with high autonomy in ambiguous environments. You’ve defined what “good” looks like in a domain where no playbook existed, you’re energized by that, not unsettled by it. 

● Business enablement security mindset. You measure success by business impact and informed risk-taking, not by tickets opened or pen test reports filed.

● 5+ years of application security or software engineering experience with a security focus, with strong skills in at least one of Python, Go, TypeScript, or Ruby, and the ability to read and write code across the others.

● Hands-on expertise across the security risk detection toolchain with real deployment experience using GitHub Advanced Security, Semgrep, or equivalent.

● Strong grasp of common application and API vulnerability classes including GraphQL, REST, and gRPC security pitfalls - broken authorization, mass assignment, introspection exposure, insecure direct object references.

● Practical threat modeling skills. You can take an architecture diagram and a 30-minute conversation and walk out with the three things that actually matter.

● Experience with cloud and container security on AWS and Kubernetes, including identity and access management, secrets management, and continuous integration / continuous deployment pipeline security.

● Humility and genuine curiosity. You're as excited to learn from product engineers and enable their work as you are to break things.


Bonus Points

● Offensive security experience including pentesting, API security, or mobile security, and/or red team operations.

● Experience running a bug bounty or coordinated disclosure program at scale.

● Mobile application security review experience (iOS and Android).

● Experience securing AI and machine learning pipelines, agent frameworks, or MCP-style integrations.

● OSCP, OSWE, or similar offensive certifications.


Location

This role is based in our downtown Miami office, in-person four days per week (Monday, Tuesday, Thursday, Friday). Candidates must be based within commuting distance of the office.

Similar Jobs at Opendoor

13 Hours Ago
Hybrid
Expert/Leader
Expert/Leader
eCommerce • Fintech • Real Estate • Software • PropTech
The Director of People Business Partner role focuses on enhancing organizational effectiveness, talent performance, and leader accountability using AI and data analytics. The position involves strategic partnership with senior leaders to address workforce planning, performance management, and system design to improve overall effectiveness and employee experience.
Top Skills: AIData Analytics
13 Hours Ago
Hybrid
Expert/Leader
Expert/Leader
eCommerce • Fintech • Real Estate • Software • PropTech
Lead end-to-end revenue operations for acquisition and resale, using AI and analytics to optimize conversion, pricing, and volume. Build experimentation programs, run SQL/statistical analyses, prototype AI tools, create playbooks, train reps, and hire a small high-leverage team while partnering with cross-functional leaders to drive measurable commercial performance.
Top Skills: ChatgptClaudeCursorSQL
13 Hours Ago
Hybrid
Senior level
Senior level
eCommerce • Fintech • Real Estate • Software • PropTech
Oversee mortgage operations, including full P&L responsibility, regulatory compliance, team leadership, and mortgage origination processes. Drive business growth, manage key relationships, and ensure operational excellence.
Top Skills: Mlo LicensesNmls Registration

What you need to know about the Calgary Tech Scene

Employees can spend up to one-third of their life at work, so choosing the right company is crucial, not just for the job itself but for the company culture as well. While startups often offer dynamic culture and growth opportunities, large corporations provide benefits like career development and networking, especially appealing to recent graduates. Fortunately, Calgary stands out as a hub for both, recognized as one of Startup Genome's Top 100 Emerging Ecosystems, while also playing host to a number of multinational enterprises. In Calgary, job seekers can find a wide range of opportunities.

Sign up now Access later

Create Free Account

Please log in or sign up to report this job.

Create Free Account