Staff Application Security Engineer

<p>At Webflow, we’re building the world’s leading AI-native Digital Experience Platform, and we’re doing it as a remote-first company built on trust, transparency, and a whole lot of creativity. This work takes grit, because we move fast, without ever sacrificing craft or quality. Our mission is to bring development superpowers to everyone. From entrepreneurs launching their first idea to global enterprises scaling their digital presence, we empower teams to design, launch, and optimize for the web without barriers. We believe the future of the web, and work, is more open, more creative, and more equitable. And we’re here to build it together.</p> <p>We’re looking for a Staff Application Security Engineer to help us level up Webflow’s secure development practices ranging from secure coding, tooling, and improving procedures.</p> <h1><strong>About the role:</strong></h1> <ul> <li>Location: Remote-first (United States; BC &amp; ON, Canada)</li> <li>Full-time</li> <li>Permanent</li> <li>Exempt</li> <li>The cash compensation for this role is tailored to align with the cost of labor in different geographic markets. We've structured the base pay ranges for this role into zones for our geographic markets, and the specific base pay within the range will be determined by the candidate’s geographic location, job-related experience, knowledge, qualifications, and skills. <ul> <li>United States &nbsp;(all figures cited below are in USD and pertain to workers in the United States)<br> <ul> <li>Zone A: $175,000 - $220,000</li> <li>Zone B: $164,000 - $209,000</li> <li>Zone C: $154,000 - $196,000</li> </ul> </li> <li>Canada (figures cited below are in CAD and pertain to workers in ON &amp; BC, Canada) <ul> <li>CAD 199,000 - CAD 280,000</li> </ul> </li> </ul> </li> </ul> <p>This role is also eligible to participate in Webflow's company-wide bonus program. Target amounts are a percentage of base salary and vary by career level. Payouts are based on company performance against established financial and operational goals.&nbsp;</p> <p>Please visit our <a href="https://webflow.com/careers#pay-zones">Careers page</a> for more information on which locations are included in each of our geographic pay zones. However, please confirm the zone for your specific location with your recruiter.</p> <ul> <li>Application Information: <ul> <li>Application deadline: applications accepted on an ongoing basis until position is closed and filled</li> <li>This posting is for an existing vacancy</li> </ul> </li> <li>Reporting to the Manager, Application Security</li> </ul> <p>As a Staff Application Security Engineer, you’ll…&nbsp;</p> <ul> <li>Collaborate with the Webflow engineering team to secure Webflow’s web application platform and ecosystem.</li> <li>Bring security best practices to the software development lifecycle.</li> <li>Work as part of a team to champion security standards while balancing business strategies and requirements.</li> <li>Support Webflow’s security current and future compliance frameworks</li> <li>Work to find security vulnerabilities through grey-box techniques, and propose solutions at the architecture and code level to mitigate findings.</li> <li>Contribute code and architecture improvements to enable security within Webflow’s application for engineers.</li> <li>Cross-train entry and mid-level application security engineers</li> </ul> <p>In addition to the responsibilities outlined above, at Webflow we will support you in identifying where your interests and development opportunities lie and we'll help you incorporate them into your role.</p> <h1><strong>About you:</strong></h1> <p>Requirements:</p> <ul> <li>BA/BS degree or equivalent experience</li> </ul> <p>You’ll thrive as a Staff Application Security Engineer if you:</p> <ul> <li>You bring <strong>7+ years of application security experience</strong>, including <strong>hands-on software development</strong>, and have operated as a technical authority in securing <strong>high-complexity, large-scale applications</strong>.</li> <li>You have deep expertise in <strong>secure software design, secure coding, and modern web application security</strong>, with a proven ability to <strong>identify security design flaws and complex business-logic vulnerabilities</strong>, and to <strong>drive risk-based remediation</strong> with engineering teams.</li> <li>You regularly <strong>lead threat modeling efforts</strong>, conduct and oversee <strong>advanced penetration testing</strong>, and <strong>manage third-party pentests</strong>, ensuring findings are clearly documented, communicated, and remediated to completion.</li> <li>You have <strong>designed, implemented, and evolved software supply chain security programs</strong>, and have <strong>owned or led bug bounty programs and major security tooling initiatives</strong>, shaping strategy rather than acting solely as a contributor.</li> <li>You have <strong>implemented and improved Secure Development Lifecycle (SDLC) processes</strong> at scale, including planning, automation, and cross-org communication, influencing how multiple teams build and ship software securely.</li> <li>You have <strong>driven multi-quarter application security roadmaps and complex security programs</strong>, partnering with engineering, product, and platform teams to deliver durable security outcomes.</li> <li>You have <strong>led security initiatives within large-scale solutions</strong>, including <strong>designing and delivering security features directly into applications</strong> (e.g., authorization models, security controls, or admin-level protections) in close collaboration with engineering and partner orgs.</li> <li>You have experience <strong>using and building security solutions that leverage agentic AI</strong>, including applying AI coding agents to scale security reviews, detection, and automation responsibly.</li> <li>You have participated in and <strong>led response efforts for application security incidents</strong>, from triage and containment through remediation and post-incident improvements.</li> <li>You actively <strong>mentor and elevate other application security engineers</strong>, and help foster strong security practices and judgment across engineering organizations.</li> <li>You are passionate about security, continuously learning, and <strong>able to clearly explain complex security concepts</strong> to technical and non-technical partners to drive alignment and action.</li> <li>Stay curious and open to growth — actively building fluency in emerging technologies like AI to unlock creativity, accelerate progress, and amplify impact.</li> </ul> <h3><strong>Our Core Behaviors:</strong></h3> <ul> <li><strong>Build lasting customer trust.</strong> We build trust by taking action that puts customer trust first.</li> <li><strong>Win together.</strong> We play to win, and we win as one team. Success at Webflow isn't a solo act.</li> <li><strong>Reinvent ourselves. </strong>We don't just improve what exists, we imagine what's possible.</li> <li><strong>Deliver with speed, quality, and craft.</strong> We move fast because the moment demands it, and we do so without lowering the bar.</li> </ul> <h3><strong>Benefits</strong></h3> <ul> <li><strong>Ownership in what you help build.</strong> Every permanent Webflower receives equity (RSUs) in our growing, privately held company.</li> <li><strong>Health coverage that actually covers you.</strong> Comprehensive medical, dental, and vision plans for full-time employees and their dependents, with Webflow covering most premiums.</li> <li><strong>Support for every stage of family life</strong>. 12 weeks of paid parental leave for all parents and 6+ weeks of additional paid leave for birthing parents. Plus inclusive care for family planning, menopause, and midlife transitions.</li> <li><strong>Time off that’s actually off. </strong>Flexible vacation, paid holidays, and a sabbatical program to help you recharge and come back inspired.</li> <li><strong>Wellness for the whole you. </strong>Access to mental health resources, therapy and coaching.</li> <li><strong>Invest in your future. </strong>A 401(k) with 100% employer match (up to $6,000/year) in the U.S., and support for retirement savings globally.&nbsp;</li> <li><strong>Monthly stipends that flex with your life.</strong> Localized support for work and wellness expenses — from Wi-Fi to workouts.</li> <li><strong>Bonus for building together. </strong>All full-time, permanent, non-commission employees are eligible for our annual WIN bonus program.</li> </ul> <p><em>Temporary employees may be eligible for paid holiday and time off, statutory leaves of absence, and company-sponsored medical benefits depending on their Fixed Term Contract and their country/state of employment.</em></p> <h3><strong>Remote, together</strong></h3> <p>At Webflow, equality is a core tenet of our culture. We are an Equal Opportunity (EEO)/Veterans/Disabled Employer and are <a href="https://webflow.com/diversity-equity-inclusion">committed</a> to building an inclusive global team that represents a variety of backgrounds, perspectives, beliefs, and experiences. Employment decisions are made on the basis of job-related criteria without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, disability, veteran status, or any other classification protected by applicable law. Pursuant to the San Francisco Fair Chance Ordinance, Webflow will consider for employment qualified applicants with arrest and conviction records.</p> <h3><strong>Stay connected</strong></h3> <p>Not ready to apply, but want to be part of the Webflow community? Consider following our story on our <a href="https://webflow.com/blog">Webflow Blog</a>, <a href="https://www.linkedin.com/company/webflow-inc-/">LinkedIn</a>, <a href="https://twitter.com/webflow">X (Twitter)</a>, and/or <a href="https://www.glassdoor.com/Reviews/Webflow-Reviews-E890506.htm">Glassdoor</a>.&nbsp;</p> <h3><strong>Please note:</strong></h3> <p><em>We will ensure that individuals with disabilities are provided reasonable accommodation to participate in the job application or interview process, to perform essential job functions, and to receive other benefits and privileges of employment. Upon interview scheduling, instructions for confidential accommodation requests will be administered.</em></p> <p><em>To join Webflow, you'll need a valid right to work authorization depending on the country of employment.</em></p> <p><em>If you are extended an offer, that offer may be contingent upon your successful completion of a background check, which will be conducted in accordance with applicable laws. We may obtain one or more background screening reports about you, solely for employment purposes.</em></p> <p><em>For information about how Webflow processes your personal information, please review </em><a href="https://webflow.com/legal/applicant-privacy-notice"><em>Webflow’s Applicant Privacy Notice</em></a><em>.&nbsp;</em></p> <p>&nbsp;</p>