Senior Application Security Engineer

Location: Remote, USA
Employment Type: Full-Time
Compensation: $158,000.00 - $198,250.00 (Range applies to US candidates only) + Benefits/Variable Comp/Equity - Range may vary based on experience.Benefits Offered: Vision, Medical, Life, Dental, 401K

The Senior Application Security Engineer joins the Information Security team and plays a key role in securing the OneStream platform throughout the software development lifecycle. This role is responsible for defining and enforcing secure coding and development practices, performing application security testing to identify risks and vulnerabilities before release and in production, and reviewing the output of application security tools to provide clear remediation guidance across the organization.

In addition, the Senior Application Security Engineer partners with engineering teams on the planning and architecture of new features, contributes to platform security design, and leads or supports the development of custom security tools and scanning capabilities. The ideal candidate brings a strong foundation in secure development and programming practices, hands‑on experience with C# and .NET, and a passion for protecting customers. This role requires effective communication across technical and non‑technical audiences and may involve developing proof‑of‑concept exploits to validate vulnerabilities and assess real‑world risk.

• Perform manual and automated application security testing to identify vulnerabilities across the OneStream platform.
• Conduct code analysis to assess and ensure the security of application code.
• Evaluate the software development lifecycle (SDLC) to identify opportunities to strengthen application and supply‑chain security.
• Partner with Development and Engineering teams to embed security into OneStream services and workflows.
• Collaborate with members of the Security team to identify attack patterns and indicators of compromise.
• Design, develop, and maintain custom security testing tools to support internal testing efforts.
• Define, document, and enforce secure development policies, standards, and procedures.
• Provide mentorship and technical guidance to junior members of the Security team to support growth and knowledge sharing.
• Document, communicate, and report security findings and risks identified during testing activities.
• Perform penetration testing against OneStream assets to validate application and infrastructure security.
• Conduct security architecture and design reviews to ensure secure‑by‑design implementations.
• Provide secure design and secure coding guidance to engineering teams throughout the development lifecycle.

• One of the following combinations of education and experience:
  • Bachelor's degree in Computer Science, Engineering, or a related field with 8+ years of experience in application security testing, penetration testing, or software development;
  • Master's degree in Computer Science, Engineering, or a related field with 3+ years of experience in application security testing, penetration testing, or software development;
  • Associate degree in Computer Science, Engineering, or a related field with 12+ years of experience in application security testing, penetration testing, or software development.
• 3+ years of hands‑on experience conducting threat modeling for applications and systems and translating findings into actionable remediation guidance.

• Experience writing and reviewing C# and .NET code, including secure coding and code review practices.
• Hands‑on experience performing penetration testing of web applications.
• Experience decompiling and reverse engineering .NET libraries.
• Broad experience across IT security and infrastructure, security risk management, and compliance frameworks such as SOC 2 and FedRAMP, including security policies, procedures, testing, auditing, and internal audit.
• Industry‑recognized offensive security or penetration testing certifications, such as:
  • Offensive Security Certified Professional (OSCP)
  • GIAC Exploit Researcher and Advanced Penetration Tester (GXPN)
  • GIAC Penetration Tester (GPEN)
  • Other relevant offensive security or penetration testing certifications
• Outstanding written and verbal communication skills, with the ability to clearly explain complex technical concepts to both technical and non‑technical audiences.

• Highly organized with strong analytical and reasoning skills.
• Self‑motivated self‑starter who works effectively both independently and with minimal direction.
• Independent thinker with sound judgment and the ability to make well‑reasoned decisions.
• Ability to think quickly, evaluate trade‑offs, and make decisions in fast‑paced environments.
• Strong prioritization and multitasking skills, with the ability to manage multiple initiatives simultaneously.
• Comfortable communicating and collaborating with stakeholders at all levels of the organization, including senior leadership.
• Experience with OneStream Software is not required; experience with financial consolidation or enterprise performance management platforms is a plus.

OneStream is how today's Finance teams can go beyond just reporting on the past and Take Finance Further by steering the business to the future. It's the only enterprise finance platform that unifies financial and operational data, embeds AI for better decisions and productivity, and empowers the CFO to become a critical driver of business strategy and execution. Our vision is to be the operating system for modern finance, digitizing core financial functions and empowering the CFO to become a critical driver of business strategy. To learn more visit www.onestream.com.

• Transparency around corporate structure, salary, and benefits
• Core value of customer success
• Variety of project work (not industry‑specific)
• Strong culture and camaraderie
• Multiple training opportunities

• Excellent Medical Plan
• Dental & Vision Insurance
• Life Insurance
• Short & Long Term Disability
• Vacation Time
• Paid Holidays
• Professional Development
• Retirement Plan

All candidates must be legally authorized to work for any company in the country where this position is located without sponsorship.

OneStream is an Equal Opportunity Employer.

Equal Opportunity Employer/Protected Veterans/Individuals with Disabilities This employer is required to notify all applicants of their rights pursuant to federal employment laws. For further information, please review the Know Your Rights notice from the Department of Labor.