Application Security Engineer

Grammarly offers a remote-first hybrid working model. Team members can work primarily remotely. Teams will meet in person every quarter in one of Grammarly’s hubs, currently in San Francisco, Vancouver, New York, and Kyiv. To ensure that teams are able to overlap in their working hours and to meet face-to-face when needed, all team members need to live within three time zones of their direct team.

Please note our Kyiv hub is currently closed, but we hope the time comes soon when we can reunite with team members there. We continue to provide support to our Ukraine team members displaced within and outside of Ukraine.

The opportunity

Grammarly empowers people to thrive and connect, whenever and wherever they communicate. More than 30 million people and 30,000 teams around the world use our AI-powered writing assistant every day. All of this begins with our team collaborating in a values-driven and learning-oriented environment. 

To achieve our ambitious goals, we’re looking for engineers to join our AppSec team. In this role, you will have a substantial impact on the security of Grammarly product family and cloud infrastructure behind it. We are looking for engineers eager to find bugs and vulnerabilities in the code and to conduct black-box and white-box testing of different products and features.

Grammarly’s engineers and researchers have the freedom to innovate and uncover breakthroughs—and, in turn, influence our product roadmap. The complexity of our technical challenges is growing rapidly as we scale our interfaces, algorithms, and infrastructure. Read more about our stack or hear from our team on our technical blog.

Your impact

In this role, you will:

• Serve as the subject matter expert for application security, providing guidance to Engineering and Product teams.
• Develop secure system design and secure coding recommendations. 
• Design and implement SDLC practices including code reviews, static/dynamic code analysis, and vulnerability assessments.
• Actively participate in the “security champions” initiative and provide security training to engineering teams. 
• Perform security testing on our internal and external applications—including performing security code reviews, vulnerability assessments,  and exploit development, as well as documenting the outcomes of the research.
• Manage Grammarly bug bounty and drive different program initiatives and promotions.
• Integrate SAST/DAST in CI/CD and operational pipelines.
• Create and manage tools (e.g., web security scanners) to help test and monitor product security.

We’re looking for someone who

• Embodies our EAGER values—is ethical, adaptable, gritty, empathetic, and remarkable.
• Has a minimum of two years in application security or related field.
• Has knowledge of programming languages (JS, Java, Python, Go). 
• Is familiar with software development methodologies, processes, and tools. 
• Is familiar with modern DevOps practices and tools.
• Has working experience with application security tools like BurpSuite, OWASP ZAP, Metasploit, etc.

An ideal candidate would be someone who

• Has participated in bug bounty programs and security research.
• Has practical experience with device management, access provision, and access management.
• Has prior experience in continuous security cycle implementation for web applications.
• Has knowledge of networking principles or macOS/Linux/Windows platforms.
• Has experience with malware analysis; reverse engineering is also a plus.
• Has experience with AWS (or other cloud platforms).

Support for you, professionally and personally

• Professional growth: We hire people we trust, and we give team members autonomy to do their best work. We also support professional development with training, coaching, and regular feedback.
• A connected team: Grammarly builds products that help people connect, and we apply this mindset to our own team. We have a highly collaborative culture supported by our EAGER values. We also take time to celebrate our colleagues and accomplishments with global, local, and team-specific events and programs.
• Comprehensive benefits: Grammarly offers all team members competitive pay along with a benefits package encompassing superior health care (including mental health benefits). We also offer support to set up a home office, ample and defined time off, gym and recreation stipends, and more.

We encourage you to apply

At Grammarly, we value our differences, and we encourage all—especially those whose identities are traditionally underrepresented in tech organizations—to apply. Grammarly is an equal opportunity company. We do not discriminate on the basis of race, religion, color, gender expression or identity, sexual orientation, national origin, citizenship, age, marital status, veteran status, disability status, criminal prosecution, judgment in a criminal case, or any other characteristic protected by law. 

Please note that Grammarly’s COVID-19 vaccination policy requires that all team members in North America be vaccinated against COVID-19 to meet in person for Grammarly business or to work from a North America hub location. It is expected that this will be a requirement for this role. Qualified candidates in North America who cannot be vaccinated for medical reasons or because of a sincerely held religious belief may request a reasonable accommodation to this policy. For Ukraine, this policy requires team members to be vaccinated or produce a daily negative COVID-19 test administered at the Kyiv hub to work from the hub or attend in-person meetings.

#LI-Remote