Security Architect

• Lead security design reviews and structured threat modelling (STRIDE, OWASP Threat Dragon, MITRE ATT&CK) for new and in-flight projects to identify risk early and produce actionable guidance before code is written.
• Conduct security-focused code reviews and analyze data flows across services, APIs, and integrations to identify trust boundaries and attack surface reduction opportunities.
• Translate threat model findings into concrete engineering recommendations and feed architectural weaknesses to the red team for proactive adversary emulation planning.
• Build and mature Asana’s security architecture review process and define standards aligned to industry best practices like NIST 800-53, FedRAMP, ISO 27001, and OWASP ASVS.
• Develop and maintain a reusable security pattern library for authentication, authorization, encryption, API security, and data handling that engineering teams can adopt directly.
• Evaluate AI tooling and integrations using industry standards (OWASP Maestro and OWASP Top 10 for LLMs), assessing risks including prompt injection, model misuse, data leakage, and supply chain exposure.
• Develop governance practices for AI-augmented development workflows and stay current with the evolving AI security landscape.

Key requirements:

• 7+ years of progressive experience in security roles, with a focus on security architecture, application security, or high-scale design reviews.
• Hands-on proficiency with threat modelling methodologies (STRIDE/PASTA, OWASP Threat Dragon) and the MITRE ATT&CK framework at the TTP level.
• Competency conducting security-focused code reviews across modern languages, including Python, Go, Java, or TypeScript.
• Deep functional knowledge of compliance frameworks and baselines, including NIST 800-53, FedRAMP, ISO 27001, OWASP ASVS, and the AWS Well-Architected Security pillar.
• Strong understanding of authentication/authorisation mechanisms (OAuth 2.0, OIDC, SAML, SSO) and container infrastructure security (Kubernetes RBAC, pod security, network policies, and secrets management).
• Demonstrated track record of translating complex architectural risks into clear, pragmatic guidance for engineers and senior stakeholders.

Nice to have:

• Familiarity with emerging AI security standards, specifically the OWASP Top 10 for LLMs, OWASP Maestro, or securing multi-tenant SaaS platforms.
• Demonstrates curiosity about AI tools and emerging technologies, with a willingness to learn and leverage them to enhance productivity, collaboration, or decision-making.