Senior Application Security Engineer

Who We Are
Tonal is the smartest home gym and personal trainer. It has completely revolutionized the way people work out at home, with its sleek design and advanced A.I. technology. We’ve united a diverse team of experts and decades of research to reinvent strength training, making it more efficient, more effective and more engaging. 
With this in mind, we want to bring that same innovative approach to the workplace. At Tonal, we continue our shift of emphasis by growing our instrumental team. We collectively weave our knowledge and creativity, as we redefine the future of fitness. We are passionate about building products that transform lives, and building teams that transform the status quo. Together, we can be our strongest.  
Overview
This role is available to be located in San Francisco, Toronto, Los Angeles, Austin, New York, or remote.
As an AppSec specialist on our DevSecOps team, you will work with multiple software teams to improve our security posture, evolve our practice, and promote the security mindset at all stages of the software lifecycle. Your work will range from minute (identifying code issues, offering guidance on a topic, reviewing new designs) to strategic (shaping the AppSec roadmap, keeping tabs on the ever-changing adversary landscape, and building relationships across the organization).
You will lead by example and advocate for the security mindset with a balanced approach to risk in everything we do. We are a small team and exclusive specialization is not a luxury we can afford yet. Alongside your AppSec expertise you will contribute as a security and DevOps generalist, including on-call duties. You don’t need to have previous DevOps experience — but if you have a desire to learn and a “can-do” attitude, we will show you how and learn from you in return. At Tonal, DevSecOps are partners and coaches, not gatekeepers. We achieve our goals not by fiat, but by shipping tools that help others out and by showing how what we are asking for ties into the company’s goals.
With a startup pace of development and growth, making sure security, operational maturity, and observability are given the appropriate priority can be a challenge; however, contributing to an amazing product that is changing people’s lives and growing professionally in a supportive environment that doesn’t get stuck in red tape is the reward.
P.S. If that’s your thing, we also have 🔥 hoodies :)

What You Will Do
Tonal software is written in several languages and runs on a variety of platforms. Early on, you will spend most of your time working on the server-side “brains” of the Tonal platform, written in Golang with a micro-service architecture. Our other stacks include native Android that runs our Tonal experience, and mobile apps across Android and iOS.
You will perform application architecture security reviews, run threat modeling exercises, and evaluate existing services for compliance in partnership with engineering teams across our tech stacks. To ensure you can keep up with developers, you will “shift AppSec left” by selecting, implementing, and operating Software Development Lifecycle (SDLC)-related application security tools. You will keep an eye on critical findings, drive their resolution, and support teams in learning how to use the tools by themselves.
Alongside these tactical responsibilities, you will set aside time to ensure our security efforts are going in the right direction long-term. You will suggest new initiatives that level up our AppSec practices, justify them in context of a security and product roadmap, plan and drive execution from an idea to the launch (“and beyond!”) You will also evaluate risk across all the software teams and stacks, and advocate allocating time, focus, and resources to areas that need help the most.
As the AppSec specialist, we expect you to maintain awareness of news and evolving best practices in your field and educate both your team and developers on emerging threats, new ways of doing things, and key AppSec events/announcements (both defensive and offensive) that relate to our work at Tonal.
“Stronger together” is our key value. Regardless of your technical achievements, you will only succeed if you can establish and maintain trusting, collaborative working relationships with teams and engineers across Tonal. We never refuse a security question because “it’s not our job”, and we have helped people all around the company – showing we can get stuff done and building trust for the future.
You will participate in security and operational incident response, including on-call duties. You will also be called upon to help the team with general cybersecurity and DevOps tasks.

Extra Credit
If you found yourself agreeing with our team’s values and approach to cybersecurity, do not hesitate to apply even if you don’t “check all the boxes” or feel completely comfortable with all of our expectations. Just like our muscles, people get stronger when they are working even a bit outside their comfort zone.
The following knowledge and skills are not required but would enhance your application:- Experience in AppSec for embedded, firmware, or mobile areas of software development- Knowledge of languages, patterns, and common issues in internal Single Page Applications (SPAs)- Experience with issues specific to containerized distributed/microservice applications- Experience with AWS or other public clouds, DevOps, Infrastructure as Code, Kubernetes- Experience integrating SDLC tools into CI/CD workflows- Experience with all lifecycle stages of SDLC-related AppSec tools- Relevant industry certifications- Knowledge of security and compliance frameworks and understanding of their implications on AppSecAt Tonal, we believe that the unique and varied lived experiences of our teammates contribute to our overall strength. We don’t just appreciate differences, we celebrate them, and we always seek people that represent a wide variety of backgrounds. We’re dedicated to adding new perspectives to the team and designing employee experiences that contribute to your growth as much as you do to ours. If your experience aligns with what we’re looking for (even if you don’t check every single box), send us your application. We would love to hear from you! Tonal is committed to meeting the diverse needs of people with disabilities in a timely manner that is consistent with the principles of independence, dignity, integration and equality of opportunity. Should you have any accommodation requests, please reach out to us via our confidential email, accessibility@tonal.com. All requests will be addressed and responded to in accordance with Tonal’s Accessibility Policy and local legislation.