[Remote] Staff Developer / Development Manager, Application Security
Note: The job is a remote job and is open to candidates in USA. atVenu is a revenue-positive company that has successfully navigated the startup landscape and is now focused on enhancing its application security. The Staff Developer / Development Manager will lead the application security program, manage a team of developers, and ensure compliance with PCI, GDPR, and SOC2 while balancing security needs with business objectives.
Responsibilities
- Define the roadmap, own application security risks, and make the case to engineering and executive leadership for what gets resourced and when
- Hire, develop, and retain application security developers
- Set technical direction, run code and architecture reviews, unblock your team, and build a security culture that scales across a fast-moving engineering organization without becoming a bottleneck
- Maintain and reduce cardholder data environment (CDE) scope across our Rails API, GraphQL layer, PostgreSQL, and mobile POS app
- Own the SOC2 and PCI DSS controls within our software development lifecycle
- Direct the audit and hardening of encryption, key management, and CouchDB sync pipeline
- Ensure GraphQL API changes are reviewed for injection risks, IDOR vulnerabilities, and over-exposed tenant data before they reach 500+ venues
- Own the SAST/DAST integration in our GitHub CI pipeline and set the bar for what ships
- Lead risk-ranked remediation across our Rails/Redis/PostgreSQL/CouchDB stack
- Your team needs a clear, fast process for deciding what gets patched and when
- Embed threat modelling into product development for new features
- Lead forensics, remediation, and post-mortems in collaboration with Engineering and Compliance
Skills
- 8+ years of development experience with at least 3 years in security-focused roles or responsibilities, plus demonstrated people management experience
- Experience building or maturing an application security program — roadmap ownership, risk prioritization, and cross-functional alignment with Engineering, Compliance, and Product
- Strong Ruby on Rails and React/React Native skills — you write and review production code, not just run scanners, and you've earned the kind of technical credibility that makes engineers actually listen when you make a point. Devs want to learn from you!
- Proven ability to communicate security risk to both technical and non-technical audiences and get organizational buy-in without resorting to fear or alarmism
- Hands-on AWS security experience: IAM, VPC, secrets management, CloudTrail/GuardDuty
- Deep knowledge of OWASP Top 10 (web and mobile), API security patterns, and common authentication/authorization flaws
- Experience and interest with AI tooling; you know when to use it and when to go old school
- Experience in the payment, retail and e-commerce space
- Experience with PCI, GDPR and/or SOC2 compliance in a production SaaS environment; deep knowledge of compliance and privacy management across North America and Europe
Company Overview