Senior Engineer, Application and Security Infrastructure

This role is on the Strava Security Team, which exists to protect Strava's people, business, and data through integrated, proactive security practices. We work across all security domains, including, but not limited to, product security, vulnerability management, incident response, infrastructure, network, governance, and enterprise security. We follow a flexible hybrid model that translates to more than half your time on-site in our London office—three days per week.

• Are passionate about protecting a platform that supports millions of athletes by ensuring Strava's applications and infrastructure are secure, resilient, and compliant across regions.
• Enjoy working closely with engineering, infrastructure, and security teams to design and implement secure architectures and development practices.
• Will have a high-leverage impact by shaping how Strava manages application and infrastructure risks in the EU, ensuring speed, accuracy, and consistency in remediation and governance.
• Are excited to build automated workflows that identify vulnerabilities early, enforce secure configurations, and strengthen our CI/CD and cloud security controls.
• Will collaborate across Security, Engineering, Legal, and Compliance to ensure that systems, processes, and data handling meet EU regulatory standards and Strava's global security expectations.
• Being highly self-motivated and detail-oriented, with a strong sense of ownership for Strava's regional application and infrastructure security posture.
• Serving as the primary security point of contact for Strava Group in the EU, bridging global strategy with local implementation and compliance.
• Driving secure-by-design practices across engineering teams, including threat modeling, architecture reviews, and vulnerability management.
• Partnering with Engineering and Infrastructure teams to embed automated security checks into CI/CD pipelines and infrastructure-as-code deployments.
• Coordinating regional incident response, vulnerability triage, and remediation validation in partnership with the global security team.
• Bring hands-on experience in application and infrastructure security, including code review, threat modeling, and securing cloud-native environments (AWS preferred).
• Have designed or implemented automated security controls in CI/CD pipelines using tools like Semgrep, Tenable, GHAS, Snyk, or custom scripting.
• Understand how to secure containerized and distributed environments, including Kubernetes, IAM, and network segmentation.
• Are comfortable managing vulnerability management programs end-to-end - from detection and prioritization through engineering remediation.
• Have familiarity with EU security and privacy frameworks (GDPR, NIS2) and know how to apply them pragmatically to cloud infrastructure and data systems.
• Are collaborative and pragmatic - able to influence engineering teams through partnership, technical credibility, and clear communication.
• Communicate proactively and effectively across technical and non-technical stakeholders, ensuring alignment between EU operations and global security strategy.

Strava is an equal opportunity employer. In keeping with the values of Strava, we make all employment decisions including hiring, evaluation, termination, promotional and training opportunities, without regard to race, religion, color, sex, age, national origin, ancestry, sexual orientation, physical handicap, mental disability, medical condition, disability, gender or identity or expression, pregnancy or pregnancy‑related condition, marital status, height and/or weight. We will ensure that individuals with disabilities are provided reasonable accommodation to participate in the job application or interview process, to perform essential job functions, and to receive other benefits and privileges of employment. Please contact us to request accommodation. California Consumer Protection Act Applicant Notice

Compensation: For roles that are based at our offices in London: £93,500 - £110,000. This range reflects base compensation only and does not include equity or benefits. Your recruiter can share more details about the full compensation package during the hiring process.