Sr. Security Engineer

About Aha!

Aha! is the world's #1 product development software, helping over 1 million product builders bring their strategy to life. Our integrated tools, including Aha! Roadmaps, Aha! Discovery, Aha! Ideas, Aha! Whiteboards, Aha! Builder, Aha! Develop, Aha! Teamwork, and Aha! Knowledge, empower teams from discovery to delivery. Product teams leverage our expertise, AI assistant, and training programs via Aha! Academy. We are a self-funded, profitable, and 100% remote SaaS company, recognized as one of the best fully remote workplaces. We champion the Bootstrap Movement and have contributed over $1.5M to those in need through Aha! Cares. Learn more at www.aha.io.

Our Team

The Aha! engineering team is a midsized, highly productive, fully remote group primarily centered around North American time zones for effective collaboration. We foster an environment where teammates feel valued, offering an onboarding program that quickly integrates new hires into the codebase. We move quickly, shipping code multiple times a day to deliver valuable features and iteratively improve. We prioritize product over process, minimizing overhead with clear goals and avoiding excessive meetings. We believe in freely sharing knowledge internally and with the broader developer community through our engineering blog. Above all, we enjoy our work and strive for a positive team and job experience, guided by The Responsive Method and generous benefits.

Our Technology

Our core web application is a single-instance, multi-tenant Ruby on Rails monolith. It is supported by Postgres for the database, Redis for background jobs, Kafka for event processing, and Memcached for Rails caching. We also utilize a Node.js webserver to facilitate collaborative editing and real-time updates. Hosted on Amazon Web Services, our application architecture employs ECS for reproducibility and scalability. On the front end, we are increasingly adopting React to build rich client-side experiences, such as our fully collaborative text and slide presentation editors. We thoughtfully balance the strengths of both Rails (for its conventions and simplicity) and React (for powerful interactive functionality). We embrace new technologies that enhance our product suite while remaining mindful of maintenance overhead, focusing on solving immediate problems rather than premature optimization.

Your Experience

The Sr. Security Engineer role primarily focuses on web application security, requiring deep knowledge of vulnerabilities and mitigation strategies. You should be familiar with securing data within multi-tenant architectures and have a track record of assisting engineers in building secure applications. Beyond technical prowess, we value kindness and a collaborative spirit. You are humble, eager to learn, and always willing to help others, enjoying problem-solving regardless of the specific technologies. Experience working at meaningful scale is also highly valued. Required experience and skills include:

• Four+ years of experience working in application security
• Active collaboration with engineering and product teams
• Experience with security reviews or threat modeling for a full-stack web application
• Experience with security tools such as CodeQL or Burp Suite
• Experience with Ruby on Rails is a plus

Your Work at Aha!

As a Sr. Security Engineer, you will be an integral part of the security team, working across our entire product suite and providing essential guidance to the broader engineering team across the full stack. We are passionate about data security and mutual support. Your key responsibilities will involve:

• Identifying application security threats and mitigations early
• Improving and maintaining security code scanning tools
• Contributing to application security scanning or testing
• Developing and sharing secure patterns internally for ongoing education

If this Sr. Security Engineer role resonates with you, we encourage you to apply. A real human reviews every application.

Grow with us

At Aha!, we believe everyone deserves to reach their fullest potential. We find engagement and vitality in meaningful work, collaborating with valued colleagues in a high-growth environment. This philosophy drives our best work. We offer a comprehensive benefits package, including profit sharing. While the specific benefits below reflect U.S. offerings, we strive to extend identical benefits to our international teammates:

• The base salary range for this role in the U.S. is between $110,000 and $190,000
• Cash-based compensation also includes profit sharing, with a percentage of your total pay contributed monthly toward retirement
• Medical, dental, and vision plans (with 100% premium coverage for many teammates)
• Up to 200 hours of paid time off annually
• 30 to 90 days of paid parental leave; five to 10 days of paid care and bereavement leave
• Up to $1,000 annually for third-party education, plus paid time off for learning
• Volunteer opportunities throughout the year

Base salary and total compensation are determined by factors such as skills, experience, and relevant past roles.

Key skills/competency

• Application Security
• Web Security
• Threat Modeling
• Vulnerability Management
• Security Architecture
• Code Scanning
• Security Reviews
• Ruby on Rails (plus)
• AWS Security
• Burp Suite