Principal Application Security Engineer

Upstart

Remote

Quick summary

Work type: Remote
Location: San Mateo, CA
Salary: $190,600–$263,900 / yr
Posted: 142 days ago
Closes: Sep 1, 2026
Nearby: 99+ roles within 25 mi

Market check

Salary context

Above market

How this pay compares to similar roles

Similar $168k

This role $227k

$103k most similar roles pay here $281k

This role pays more than 86% of similar roles. Most pay $142,450–$194,130 — the shaded band above. At the midpoint, this role pays about $227k versus about $168k for comparable roles.

Based on 240 similar postings.

Employer

About Upstart

Upstart is an AI lending platform that partners with banks and credit unions to expand access to affordable credit using non-traditional variables.

Upstart currently has 40 open roles on FindRole.

Listed pay typically runs $177,200–$245,400 across 40 roles with salary data.

Most-posted roles

View all roles at Upstart

At a glance

TL;DR · Principal Application Security Engineer

Apply Now Log in to save

As a Principal Application Security Engineer at Upstart, you will join the dedicated Application Security team to lead cross-functional discussions and drive security architecture reviews for critical initiatives. Your role involves deeply understanding business priorities and regulatory expectations to shape Upstart's strategic security posture and roadmap. You will establish robust threat modeling programs, design application security guardrails, and partner with Infrastructure and Cloud teams to enhance the security of cloud-native systems. Key responsibilities include automating risk reduction processes, mentoring engineers, and fostering a culture where security enables innovation. The ideal candidate has over 9 years of experience in security engineering, with at least 5 years focused on application security, expertise in Java, Python, or Ruby, and proficiency in secure coding practices, SAST/DAST/SCA, CI/CD protections, and secrets management. Experience with modern frontend frameworks, APIs, and microservices architectures is preferred.

Skills

Java Python Ruby SAST DAST SCA CI/CD API Security Microservices REST GraphQL AWS Kubernetes Terraform GitLab Jenkins GitHub PostgreSQL MongoDB OAuth OpenID Connect OAuth2 JSON Web Tokens PCI DSS ISO 27001 NIST Cybersecurity Framework

What you'll do

Define and drive Upstart’s application security strategy to align with business priorities.
Lead cross-functional security architecture reviews for critical initiatives to reduce systemic risk.
Establish a robust threat modeling program for high-risk systems, translating findings into engineering standards.
Design and standardize application security guardrails across the SDLC, including secure coding practices and automated testing.
Partner with Infrastructure and Cloud teams to strengthen the security posture of cloud-native systems.
Mentor engineers and influence leadership through clear risk metrics to elevate security maturity.

What we're looking for

9+ years of experience in security engineering with at least 5 years focused on application security.
Proven leadership in conducting security architecture reviews and threat modeling for complex systems.
Hands-on experience designing and implementing application security controls across the SDLC, including secure coding standards and automated testing tools.
Strong background in Java, Python, or Ruby development to enhance unique security operational needs.
Experience managing multiple significant information security initiatives simultaneously.
Familiarity with modern frontend frameworks, APIs (REST/GraphQL), and microservices architectures from a security perspective.

Save