Information Security Engineer (Application Security Focus)
At Mechanical Orchard, we specialize in safely rewriting the most critical and complex business applications—the software that runs the world as we know it today—so they’re ready to adapt quickly and easily to market challenges and opportunities. Our approach emerged from observing the decades-long failure patterns in modernization efforts and is designed to eliminate the risks and disruptions that characterize most projects.
Our background in software development and the impact on the industry is well known: we've literally helped write the book on XP and other impactful Agile practices. We’re applying the same thoughtfulness and rigor in applying AI pragmatically where it helps. We believe in the durable principles behind Agile, and embrace the power of cross-functional teams, collective ownership, test driven development, short feedback loops, and continuous improvement.
We’re bringing joy to beleaguered IT teams everywhere. Together, we’re seeing how applying craft, expertise, and technologies we’re building can fundamentally transform the way companies operate, innovate, and win. Our values are: Do the right thing. Do what works. Be kind.
We're looking for a senior Information Security Engineer who thrives at the intersection of security and software engineering. You’ll partner with development teams, designing, reviewing and pair programming to build security into systems, automate security processes, and build a scalable security program as we grow. This is a hands-on role for someone who has actually built software, understands modern cloud environments, and is comfortable navigating the security implications of emerging technologies, including AI-powered and agentic systems.
Key Responsibilities
Build Security into Development: Work alongside engineering teams to integrate security throughout the SDLC; from design reviews and threat modeling to secure coding practices. Conduct security assessments of applications, APIs, and cloud infrastructure. Guide developers on secure authentication, authorization, cryptography, and data protection. Champion security best practices while maintaining developer velocity and trust.
Implement Security Tooling & Automation: Deploy and manage application security tools including SAST, DAST, SCA, and container scanning. Build automation for security testing in CI/CD pipelines. Implement and improve secrets management solutions. Create dashboards and metrics to track security posture.
Drive Security Initiatives: Lead application vulnerability management programs including triage, prioritization, and driving remediation. Support security compliance efforts (SOC 2, ISO 27001, or similar frameworks). Contribute to incident response and security event investigation. Develop security training and documentation for engineering teams.
Collaborate Across Teams: Partner with infrastructure and DevOps teams on cloud security controls. Perform risk assessments for new features, technologies, and third-party integrations. Participate in architecture reviews and provide security guidance.
Required Qualifications
Bachelor’s degree in Computer Science, Software Engineering, Information Security, or a related technical field, or equivalent practical experience.
Strong written and verbal communication skills in English.
5+ years of professional experience in information security, with a significant focus on application and cloud security.
Professional software development experience, with hands-on responsibility for designing, building, and maintaining production systems in a language like Python, Go, Java, JavaScript, or similar.
Strong understanding of application security principles: OWASP Top 10, secure authentication/authorization, encryption, API security.
Experience with cloud platforms (AWS, GCP, or Azure) and cloud-native security.
Hands-on experience with CI/CD systems and DevOps practices.
Knowledge of container security and orchestration platforms (Docker, Kubernetes).
Experience implementing security tools like SAST/DAST scanners, dependency checkers, or secrets detection.
Experience with security tools such as Aikido, Snyk, Semgrep, Trivy, Wiz, HashiCorp Vault, or similar.
Collaborative mindset—you build security solutions with engineers, not against them.
Preferred Qualifications
Ability to communicate security concepts clearly to technical and non-technical audiences.
Familiarity with Infrastructure-as-Code (Terraform, etc) and policy-as-code tools.
Background supporting compliance frameworks (SOC 2, ISO 27001, FedRAMP, CMMC).
Security certifications (OSCP, OSWE, CEH, CISSP, CSSLP) are a plus.
Mechanical Orchard, Inc. is an Equal Opportunity Employer and Prohibits Discrimination and Harassment of Any Kind. Mechanical Orchard, Inc. is committed to the principle of equal employment opportunity for all employees and to providing employees with a work environment free of discrimination and harassment. All employment decisions at Mechanical Orchard, Inc. are based on business needs, job requirements and individual qualifications, without regard to race, color, religion or belief, national, social or ethnic origin, sex (including pregnancy), age, physical, mental or sensory disability, HIV Status, sexual orientation, gender identity and/or expression, marital, civil union or domestic partnership status, past or present military service, family medical history or genetic information, family or parental status, or any other status protected by the laws or regulations in the locations where we operate. Mechanical Orchard, Inc. will not tolerate discrimination or harassment based on any of these characteristics. Mechanical Orchard, Inc. encourages applicants of all ages. Mechanical Orchard, Inc. will provide reasonable accommodation to employees who have protected disabilities consistent with local law.
We look forward to reviewing your application. Thanks!
About the job
Apply for this position
Information Security Engineer (Application Security Focus)
At Mechanical Orchard, we specialize in safely rewriting the most critical and complex business applications—the software that runs the world as we know it today—so they’re ready to adapt quickly and easily to market challenges and opportunities. Our approach emerged from observing the decades-long failure patterns in modernization efforts and is designed to eliminate the risks and disruptions that characterize most projects.
Our background in software development and the impact on the industry is well known: we've literally helped write the book on XP and other impactful Agile practices. We’re applying the same thoughtfulness and rigor in applying AI pragmatically where it helps. We believe in the durable principles behind Agile, and embrace the power of cross-functional teams, collective ownership, test driven development, short feedback loops, and continuous improvement.
We’re bringing joy to beleaguered IT teams everywhere. Together, we’re seeing how applying craft, expertise, and technologies we’re building can fundamentally transform the way companies operate, innovate, and win. Our values are: Do the right thing. Do what works. Be kind.
We're looking for a senior Information Security Engineer who thrives at the intersection of security and software engineering. You’ll partner with development teams, designing, reviewing and pair programming to build security into systems, automate security processes, and build a scalable security program as we grow. This is a hands-on role for someone who has actually built software, understands modern cloud environments, and is comfortable navigating the security implications of emerging technologies, including AI-powered and agentic systems.
Key Responsibilities
Build Security into Development: Work alongside engineering teams to integrate security throughout the SDLC; from design reviews and threat modeling to secure coding practices. Conduct security assessments of applications, APIs, and cloud infrastructure. Guide developers on secure authentication, authorization, cryptography, and data protection. Champion security best practices while maintaining developer velocity and trust.
Implement Security Tooling & Automation: Deploy and manage application security tools including SAST, DAST, SCA, and container scanning. Build automation for security testing in CI/CD pipelines. Implement and improve secrets management solutions. Create dashboards and metrics to track security posture.
Drive Security Initiatives: Lead application vulnerability management programs including triage, prioritization, and driving remediation. Support security compliance efforts (SOC 2, ISO 27001, or similar frameworks). Contribute to incident response and security event investigation. Develop security training and documentation for engineering teams.
Collaborate Across Teams: Partner with infrastructure and DevOps teams on cloud security controls. Perform risk assessments for new features, technologies, and third-party integrations. Participate in architecture reviews and provide security guidance.
Required Qualifications
Bachelor’s degree in Computer Science, Software Engineering, Information Security, or a related technical field, or equivalent practical experience.
Strong written and verbal communication skills in English.
5+ years of professional experience in information security, with a significant focus on application and cloud security.
Professional software development experience, with hands-on responsibility for designing, building, and maintaining production systems in a language like Python, Go, Java, JavaScript, or similar.
Strong understanding of application security principles: OWASP Top 10, secure authentication/authorization, encryption, API security.
Experience with cloud platforms (AWS, GCP, or Azure) and cloud-native security.
Hands-on experience with CI/CD systems and DevOps practices.
Knowledge of container security and orchestration platforms (Docker, Kubernetes).
Experience implementing security tools like SAST/DAST scanners, dependency checkers, or secrets detection.
Experience with security tools such as Aikido, Snyk, Semgrep, Trivy, Wiz, HashiCorp Vault, or similar.
Collaborative mindset—you build security solutions with engineers, not against them.
Preferred Qualifications
Ability to communicate security concepts clearly to technical and non-technical audiences.
Familiarity with Infrastructure-as-Code (Terraform, etc) and policy-as-code tools.
Background supporting compliance frameworks (SOC 2, ISO 27001, FedRAMP, CMMC).
Security certifications (OSCP, OSWE, CEH, CISSP, CSSLP) are a plus.
Mechanical Orchard, Inc. is an Equal Opportunity Employer and Prohibits Discrimination and Harassment of Any Kind. Mechanical Orchard, Inc. is committed to the principle of equal employment opportunity for all employees and to providing employees with a work environment free of discrimination and harassment. All employment decisions at Mechanical Orchard, Inc. are based on business needs, job requirements and individual qualifications, without regard to race, color, religion or belief, national, social or ethnic origin, sex (including pregnancy), age, physical, mental or sensory disability, HIV Status, sexual orientation, gender identity and/or expression, marital, civil union or domestic partnership status, past or present military service, family medical history or genetic information, family or parental status, or any other status protected by the laws or regulations in the locations where we operate. Mechanical Orchard, Inc. will not tolerate discrimination or harassment based on any of these characteristics. Mechanical Orchard, Inc. encourages applicants of all ages. Mechanical Orchard, Inc. will provide reasonable accommodation to employees who have protected disabilities consistent with local law.
We look forward to reviewing your application. Thanks!