Security Architecture Engineer, STORM

<p id="p-rc_7f7ddae2932a5d60-340" data-path-to-node="3"><span data-path-to-node="3,0">STORM (Security Threat Operations &amp; Response Management) is Asana's security operations organization, made up of red and blue team specialists focused on protecting Asana's employees, users, and customers</span><span data-path-to-node="3,2">. We proactively address threats, embed security across the product lifecycle, and partner closely with Asana's broader R&amp;D and engineering teams to make security-by-design the norm</span><span data-path-to-node="3,4">. We are looking for a collaborative, analytical Security Architecture Engineer to join our team in Warsaw to solve complex design challenges and scale our architectural security defenses</span><span data-path-to-node="3,6">.</span></p> <p id="p-rc_7f7ddae2932a5d60-341" data-path-to-node="4"><span data-path-to-node="4,0">This role is based in our Warsaw offi<span class="citation-1340 citation-end-1340">ce with an office-centric hybrid schedule</span></span><span data-path-to-node="4,2"><span class="citation-1339">. The standard in-office days are Monday, Tuesday, and</span><span class="citation-1338 citation-1339 citation-end-1339"> Thursday</span></span><span data-path-to-node="4,4"><span class="citation-1336 citation-1337 citation-end-1337">. Most Asanas have the option to work from home on Wednesdays</span></span><span data-path-to-node="4,6"><span class="citation-1334 citation-1335 citation-end-1335">. Working from home on Frida</span><span class="citation-1334 citation-end-1334">ys depends on the type of work you do and the teams with which you partner</span></span><span data-path-to-node="4,8"><span class="citation-1333 citation-end-1333">. If you're interview</span>ing for this role, your recruiter will share more about the in-office requirements</span><span data-path-to-node="4,10">.</span></p> <p id="p-rc_7f7ddae2932a5d60-342" data-path-to-node="5"><span data-path-to-node="5,0">We offer a Contract of Employment (UoP) for our employees in Poland</span><span data-path-to-node="5,2">.</span></p> <h3 data-path-to-node="6">What you’ll achieve</h3> <ul data-path-to-node="7"> <li> <p id="p-rc_7f7ddae2932a5d60-343" data-path-to-node="7,0,0"><span data-path-to-node="7,0,0,0"><strong data-path-to-node="7,0,0,0" data-index-in-node="0">Security Design Review &amp; Threat Modelling:</strong> Lead architecture reviews and structured threat modelling (such as STRIDE, OWASP Threat Dragon, and MITRE ATT&amp;CK) for new and in-flight projects to identify risk early and produce actionable guidance before code is written</span><span data-path-to-node="7,0,0,2">.</span></p> </li> <li> <p id="p-rc_7f7ddae2932a5d60-344" data-path-to-node="7,1,0"><span data-path-to-node="7,1,0,0"><strong data-path-to-node="7,1,0,0" data-index-in-node="0">Code &amp; Data Flow Analysis:</strong> Conduct security-focused code reviews and analyze data flows across services, APIs, and integrations to identify trust boundaries and attack surface reduction opportunities</span><span data-path-to-node="7,1,0,2">.</span></p> </li> <li> <p id="p-rc_7f7ddae2932a5d60-345" data-path-to-node="7,2,0"><span data-path-to-node="7,2,0,0"><strong data-path-to-node="7,2,0,0" data-index-in-node="0">Defensive Engineering Recommendations:</strong> Translate threat model findings into concrete engineering recommendations and feed architectural weaknesses to STORM’s red team for proactive adversary emulation planning</span><span data-path-to-node="7,2,0,2">.</span></p> </li> <li> <p id="p-rc_7f7ddae2932a5d60-346" data-path-to-node="7,3,0"><span data-path-to-node="7,3,0,0"><strong data-path-to-node="7,3,0,0" data-index-in-node="0">Architecture Standards &amp; Frameworks:</strong> Build and mature Asana’s security architecture review process and define standards aligned to industry best practices like NIST 800-53, FedRAMP, ISO 27001, and OWASP ASVS</span><span data-path-to-node="7,3,0,2">.</span></p> </li> <li> <p id="p-rc_7f7ddae2932a5d60-347" data-path-to-node="7,4,0"><span data-path-to-node="7,4,0,0"><strong data-path-to-node="7,4,0,0" data-index-in-node="0">Security Pattern Library:</strong> Develop and maintain a reusable security pattern library for authentication, authorization, encryption, API security, and data handling that engineering teams can adopt directly</span><span data-path-to-node="7,4,0,2">.</span></p> </li> <li> <p id="p-rc_7f7ddae2932a5d60-348" data-path-to-node="7,5,0"><span data-path-to-node="7,5,0,0"><strong data-path-to-node="7,5,0,0" data-index-in-node="0">AI Security Architecture:</strong> Evaluate AI tooling and integrations using industry standards (such as OWASP Maestro and OWASP Top 10 for LLMs), assessing risks including prompt injection, model misuse, data leakage, and supply chain exposure</span><span data-path-to-node="7,5,0,2">.</span></p> </li> <li> <p id="p-rc_7f7ddae2932a5d60-349" data-path-to-node="7,6,0"><span data-path-to-node="7,6,0,0"><strong data-path-to-node="7,6,0,0" data-index-in-node="0">AI Governance:</strong> Develop governance practices for AI-augmented development workflows and stay current with the evolving AI security landscape</span><span data-path-to-node="7,6,0,2">.</span></p> </li> <li> <p id="p-rc_7f7ddae2932a5d60-350" data-path-to-node="7,7,0"><span data-path-to-node="7,7,0,0"><strong data-path-to-node="7,7,0,0" data-index-in-node="0">Security Artifact Advocacy:</strong> Champion security-by-design by driving organizational adoption of architecture diagrams, data flow diagrams, and threat models as first-class engineering artefacts</span><span data-path-to-node="7,7,0,2">.</span></p> </li> <li> <p id="p-rc_7f7ddae2932a5d60-351" data-path-to-node="7,8,0"><span data-path-to-node="7,8,0,0"><strong data-path-to-node="7,8,0,0" data-index-in-node="0">Training &amp; Culture:</strong> Deliver highly technical training and workshops to engineering and product teams, making the secure choice the path of least resistance across the organization</span><span data-path-to-node="7,8,0,2">.</span></p> </li> </ul> <h3 data-path-to-node="8">About you</h3> <ul data-path-to-node="9"> <li> <p id="p-rc_7f7ddae2932a5d60-352" data-path-to-node="9,0,0"><span data-path-to-node="9,0,0,0">7+ years of progressive experience in security roles, with a focus on security architecture, application security, or high-scale design reviews</span><span data-path-to-node="9,0,0,2">.</span></p> </li> <li> <p id="p-rc_7f7ddae2932a5d60-353" data-path-to-node="9,1,0"><span data-path-to-node="9,1,0,0">Hands-on proficiency with threat modelling methodologies (STRIDE/PASTA, OWASP Threat Dragon) and the MITRE ATT&amp;CK framework at the TTP level</span><span data-path-to-node="9,1,0,2">.</span></p> </li> <li> <p id="p-rc_7f7ddae2932a5d60-354" data-path-to-node="9,2,0"><span data-path-to-node="9,2,0,0">Competency conducting security-focused code reviews across modern languages, including Python, Go, Java, or TypeScript</span><span data-path-to-node="9,2,0,2">.</span></p> </li> <li> <p id="p-rc_7f7ddae2932a5d60-355" data-path-to-node="9,3,0"><span data-path-to-node="9,3,0,0">Deep functional knowledge of compliance frameworks and baselines, including NIST 800-53, FedRAMP, ISO 27001, OWASP ASVS, and the AWS Well-Architected Security pillar</span><span data-path-to-node="9,3,0,2">.</span></p> </li> <li> <p id="p-rc_7f7ddae2932a5d60-356" data-path-to-node="9,4,0"><span data-path-to-node="9,4,0,0">Strong understanding of authentication/authorisation mechanisms (OAuth 2.0, OIDC, SAML, SSO) and container infrastructure security (Kubernetes RBAC, pod security, network policies, and secrets management)</span><span data-path-to-node="9,4,0,2">.</span></p> </li> <li> <p id="p-rc_7f7ddae2932a5d60-357" data-path-to-node="9,5,0"><span data-path-to-node="9,5,0,0">Familiarity with emerging AI security standards, specifically the OWASP Top 10 for LLMs, OWASP Maestro, or securing multi-tenant SaaS platforms</span><span data-path-to-node="9,5,0,2">.</span></p> </li> <li> <p id="p-rc_7f7ddae2932a5d60-358" data-path-to-node="9,6,0"><span data-path-to-node="9,6,0,0">Demonstrated track record of translating complex architectural risks into clear, pragmatic guidance for engineers and senior stakeholders</span><span data-path-to-node="9,6,0,2">.</span></p> </li> <li> <p id="p-rc_7f7ddae2932a5d60-359" data-path-to-node="9,7,0"><span data-path-to-node="9,7,0,0">Proven ability to build security review processes from low maturity and shift engineering culture through influence and collaboration</span><span data-path-to-node="9,7,0,2">.</span></p> </li> <li> <p id="p-rc_7f7ddae2932a5d60-360" data-path-to-node="9,8,0"><span data-path-to-node="9,8,0,0">Strong technical writing skills with experience producing architectural diagrams, threat models, and cle<span class="citation-1332 citation-end-1332">an documentation that teams reference daily</span></span><span data-path-to-node="9,8,0,2"><span class="citation-1331 citation-end-1331">.</span></span></p> </li> <li> <p id="p-rc_7f7ddae2932a5d60-361" data-path-to-node="9,9,0"><span data-path-to-node="9,9,0,0"><span class="citation-1330 citation-end-1330">Demonstrates curiosity about AI tools and emerging technologies, with a willingness to learn and leverage them to enhance productivity, collaboration, or decision-</span>making</span><span data-path-to-node="9,9,0,2">.</span></p> </li> </ul> <p id="p-rc_7f7ddae2932a5d60-362" data-path-to-node="10"><span data-path-to-node="10,0">At Asana, we're committed to building teams that include a variety of backgrounds, perspectives, and skills, as this is critical to helping us achieve our mission</span><span data-path-to-node="10,2">. If you're interested in this role and don't meet every listed requirement, we still encourage you to apply</span><span data-path-to-node="10,4">.</span></p> <h3 data-path-to-node="11">What we’ll offer</h3> <ul data-path-to-node="12"> <li> <p id="p-rc_7f7ddae2932a5d60-363" data-path-to-node="12,0,0"><span data-path-to-node="12,0,0,0">Generous, transparent and fair compensation system (base salary and RSUs)</span><span data-path-to-node="12,0,0,2">.</span></p> </li> <li> <p id="p-rc_7f7ddae2932a5d60-364" data-path-to-node="12,1,0"><span data-path-to-node="12,1,0,0">Contract of Employment (and the option of 50% tax deductible costs for author’s rights usage in respect of applicable roles)</span><span data-path-to-node="12,1,0,2">.</span></p> </li> <li> <p id="p-rc_7f7ddae2932a5d60-365" data-path-to-node="12,2,0"><span data-path-to-node="12,2,0,0">Health insurance with dental and travel coverage (Lux Med)</span><span data-path-to-node="12,2,0,2">.</span></p> </li> <li> <p id="p-rc_7f7ddae2932a5d60-366" data-path-to-node="12,3,0"><span data-path-to-node="12,3,0,0">Breakfast and lunch catering on the days that you work from the office</span><span data-path-to-node="12,3,0,2">.</span></p> </li> <li> <p id="p-rc_7f7ddae2932a5d60-367" data-path-to-node="12,4,0"><span data-path-to-node="12,4,0,0">Vacation allowance</span><span data-path-to-node="12,4,0,2">.</span></p> </li> <li> <p id="p-rc_7f7ddae2932a5d60-368" data-path-to-node="12,5,0"><span data-path-to-node="12,5,0,0">Career growth budget</span><span data-path-to-node="12,5,0,2"><span class="citation-1329 citation-end-1329">.</span></span></p> </li> <li> <p id="p-rc_7f7ddae2932a5d60-369" data-path-to-node="12,6,0"><span data-path-to-node="12,6,0,0"><span class="citation-1328 citation-end-1328">Home office setup budget</span></span><span data-path-to-node="12,6,0,2"><span class="citation-1327 citation-end-1327">.</span></span></p> </li> <li> <p id="p-rc_7f7ddae2932a5d60-370" data-path-to-node="12,7,0"><span data-path-to-node="12,7,0,0"><span class="citation-1326 citation-end-1326">Gym/Fitness card</span></span><span data-path-to-node="12,7,0,2"><span class="citation-1325 citation-end-1325">.</span></span></p> </li> <li> <p id="p-rc_7f7ddae2932a5d60-371" data-path-to-node="12,8,0"><span data-path-to-node="12,8,0,0"><span class="citation-1324 citation-end-1324">Fertility healthcare and family-forming support with Carrot</span></span><span data-path-to-node="12,8,0,2"><span class="citation-1323 citation-end-1323">.</span></span></p> </li> <li> <p id="p-rc_7f7ddae2932a5d60-372" data-path-to-node="12,9,0"><span data-path-to-node="12,9,0,0"><span class="citation-1322 citation-end-1322">Mental Health Support in Modern Health</span></span><span data-path-to-node="12,9,0,2"><span class="citation-1321 citation-end-1321">.</span></span></p> </li> <li> <p id="p-rc_7f7ddae2932a5d60-373" data-path-to-node="12,10,0"><span data-path-to-node="12,10,0,0"><span class="citation-1320 citation-end-1320">Group lif</span>e insurance</span><span data-path-to-node="12,10,0,2">.</span></p> </li> <li> <p id="p-rc_7f7ddae2932a5d60-374" data-path-to-node="12,11,0"><span data-path-to-node="12,11,0,0">MacBooks with all necessary accessories</span><span data-path-to-node="12,11,0,2">.</span></p> </li> </ul> <p id="p-rc_7f7ddae2932a5d60-375" data-path-to-node="13"><span data-path-to-node="13,0">For this role, the estimated base salary range is between 31,900 - 36,000 PLN PLN gross per month (subject to all taxes and necessary deductions)</span><span data-path-to-node="13,2">&nbsp;The actual base salary will vary based on various factors, including market and individual qualifications objectively assessed during the interview process</span><span data-path-to-node="13,4">. The listed range above is a guideline, and the base salary range for this role may be modified</span><span data-path-to-node="13,6">. In addition to base salary, your compensation package may include additional components such as equity and benefits</span><span data-path-to-node="13,8">. If you're interviewing for this role, speak with your recruiter to learn more about the total compensation and benefits for this role</span><span data-path-to-node="13,10">.</span></p> <p id="p-rc_7f7ddae2932a5d60-376" data-path-to-node="14"><span data-path-to-node="14,0">#LI-Hybrid</span></p> <p id="p-rc_7f7ddae2932a5d60-376" data-path-to-node="14"></p><div class="content-conclusion"><p><strong>About us</strong></p> <p data-pm-slice="1 1 []">Asana is a leading platform for human + AI collaboration. Millions of teams around the world rely on Asana to achieve their most important goals, faster. Asana has been named to Fortune's Best Workplaces for 7+ years and recognized by Fast Company, Forbes, and Gartner for excellence in workplace culture and innovation. We offer an exceptional office-centric culture while adopting the best elements of hybrid models to ensure that every one of our global team members can work together effortlessly. With 13+ offices all over the world, we are always looking for individuals who care about building technology that drives positive change in the world and a culture where everyone feels that they belong.</p> <p data-pm-slice="1 1 []"><strong><a class="LinkThemeablePresentation LinkPrimaryPresentation LinkPrimaryPresentation--sentimentSelected PrimaryLink HighlightSol HighlightSol--core HighlightSol--buildingBlock" href="https://www.gem.com/form?formID=fbcdec8c-3442-43b9-9b45-d2b5f4ea25db" target="_blank">Join Asana’s Talent Network</a></strong>&nbsp;to stay up to date on job opportunities and life at Asana.</p></div>