Senior Application Security Engineer

Job Description

The New York Times has a unique culture that guides us to do things differently. This allows development teams to focus on delivering software with velocity, but also means that the Information Security team constantly innovates to solve classic problems. Our team of architects, builders and breakers consider customer security and success our north star and aren’t afraid of getting our hands dirty.

The Application Security Team helps secure the applications that run The New York Times business and serve our journalists. Our customers are primarily The New York Times product and technology teams that produce the software, tools and technology to empower the business. We build credibility not just by advising people but by being empathetic to people, paying attention to details, respecting ideas over egos, embracing change, and reducing the red tape by going the extra mile.

As an Application Security Engineer, you will:

  • Work with the product and technology teams to build in security early

  • Assess the application threat landscape by threat modeling and architecture reviews

  • Guide product and technology teams to integrate security into their software development lifecycle

  • Perform regular security assessments of NYT’s platforms and software

  • Conduct security code reviews for a variety of languages and frameworks of web and mobile applications

  • Plan, execute and Implement static code analysis across the organization

  • Work with the internal development teams to educate the teams on security topics

  • Prioritize, triage and remediate vulnerabilities and findings from system scans and bug bounty programs

  • Integrate security tools, standards, and processes into the secure software development lifecycle

  • Improve and support application security tool deployments including static analysis and runtime testing tools

  • Participate in application security periodic off-hours escalation rotation

You might have:

  • 4+ years of experience in application security field

  • Experience with manual penetration testing against web and mobile applications

  • Experience with static code analysis tools such as Fortify, Checkmarx or other similar tools

  • Experience with risk assessment and architecture reviews

  • Experience with network/infrastructure penetration testing

  • Development and/or source code review experience in Python, Go, Ruby, PHP, Node.js

  • Familiarity with application layer assessment tools, such as local proxies and fuzzers

  • Familiarity with threat modeling and security design review methodologies

  • Ability to work both independently and perform as a leader in a team environment

  • Ability to work as part of a distributed team and travel to NYT office periodically if working remotely

  • Excellent communication skills (both written and oral)

  • Able to concisely communicate security risks to both technical and business audiences

  • Comfortable working in and across cloud environments like AWS and GCP

The following skills are not required from applicants but would be considered a plus:

  • Degree in Computer Science, Information Systems, Engineering or related major

  • Experience working as part of an enterprise development team

  • Experience developing custom scripts or tools used for vulnerability scanning and identification

  • A good understanding of cryptography fundamentals

Why NYT?

  • Core mission is to seek truth and help people understand the world

  • Our values are Independence, Integrity, Curiosity, Respect, Collaboration and Excellence

  • Commitment to one’s development through education, workshops and active engagement

  • Exposure to a wide range of new, old and everything in-between technologies and languages

  • We <3 open source and believe that we grow together by sharing and giving back to the community

This role may require limited on-call hours. An on-call schedule will be determined when you join, taking into account team size and other variables.  On-call hours are unpaid, unless informed otherwise by your manager. 


The New York Times is committed to a diverse and inclusive workforce, one that reflects the varied global community we serve. Our journalism and the products we build in the service of that journalism greatly benefit from a range of perspectives, which can only come from diversity of all types, across our ranks, at all levels of the organization. Achieving true diversity and inclusion is the right thing to do. It is also the smart thing for our business. So we strongly encourage women, veterans, people with disabilities, people of color and gender nonconforming candidates to apply.

The New York Times Company is an Equal Opportunity Employer and does not discriminate on the basis of an individual's sex, age, race, color, creed, national origin, alienage, religion, marital status, pregnancy, sexual orientation or affectional preference, gender identity and expression, disability, genetic trait or predisposition, carrier status, citizenship, veteran or military status and other personal characteristics protected by law. All applications will receive consideration for employment without regard to legally protected characteristics. The New York Times Company will consider qualified applicants, including those with criminal histories, in a manner consistent with the requirements of applicable state and local "Fair Chance" laws.

United States
  • Ruby
  • Python
  • PHP
  • Go
  • AWS