At Asana, security is foundational to our mission of helping humanity thrive by enabling the world’s teams to work together effortlessly. Our security team protects Asana’s employees, users, and customers by proactively addressing threats and fostering a culture of security throughout our product and operations.

We’re looking for a security engineer to join our Security Red Team in Warsaw. You’ll be a foundational member of the security presence in a key engineering hub, partnering directly with IT, infrastructure, and product teams to ensure we design and ship secure software. You will be instrumental in scaling our security practices by performing security reviews and penetration testing assessments of our products and internal applications, eliminating entire classes of vulnerabilities, and championing a security-first mindset.

This role is based in our Warsaw office with an office-centric hybrid schedule. The standard in-office days are Monday, Tuesday, and Thursday.

We offer a Contract of Employment (UoP) for our employees in Poland

What you’ll achieve:

• Conduct security architecture reviews, threat modeling, and penetration testing for new features and services across our product and internal applications.
• Test software for application security vulnerabilities through various assessment methodologies, including penetration testing.
• Triage, investigate, and drive remediation of vulnerabilities from our bug bounty program, internal penetration tests, and automated security tooling.
• Influence engineering initiatives by conducting design and roadmap reviews, effectively communicating security constraints, and assisting teams in making informed trade-offs.
• Investigate product security incidents as an incident subject matter expert, using logs and monitoring tools.
• Develop and deliver training to educate engineers on secure coding best practices and emerging threats.
• Stay informed of industry trends, emerging threats, and best practices to ensure that Asana’s security posture remains robust.
• Collaborate with teammates and stakeholders to develop both short-term and long-term strategies for risk management.
• Join a collaborative Security team composed of specialists in product, application, software engineering, infrastructure and detection and response, all working together to help engineering teams design and ship secure software.

About you:

• 5+ years of experience in application security, product security, penetration assessments, or software engineering with a security focus, with significant experience in security reviews and penetration testing.
• Strong software engineering background with experience in languages like Python, Javascript/Typescript or Scala
• Deep working knowledge of the OWASP Top 10 and common web application vulnerabilities such as XSS, CSRF, SSRF, and SQL injection
• Experience with security tools for static/dynamic analysis (SAST/DAST), software composition analysis (SCA), and vulnerability management.
• Proven experience performing security design reviews and threat modeling for complex applications, as well as conducting comprehensive penetration tests.
• Excelling communication skills for collaborating effectively with both technical and non-technical partners.
• A pragmatic and collaborative mindset, with a passion for building defenses against real-world attacks and enabling other engineers to do their best, most secure work.

What we offer:

• Generous, transparent and fair compensation system (base salary and generous Restricted Stock Unit for Asana Inc.) 
• Contract of Employment (with 50% tax deductible costs for author’s rights usage for Engineers) 
• Health insurance with dental and travel coverage (Lux Med) 
• Lunch catering on the days that you work from the office
• Career growth budget 
• Home office setup budget 
• Gym/Fitness reimbursement
• Fertility healthcare and family-forming support with Carrot
• Mental health support in Modern Health
• Group life insurance
• MacBooks with all necessary accessories

For this role, the estimated base salary range is between 25,604  - 35,854 PLN gross monthly on the contract of employment (UoP). The actual base salary will vary based on various factors and individual qualifications objectively assessed during the interview process. The listed range above is a guideline, and the base compensation range for this role may be modified.

Our total compensation consists of base salary and equity (RSUs). 

#appsec #securityengineer #LI-Hybrid

About the Role

As an Application Security Engineer (Offensive Testing), you will lead and perform penetration testing and DAST for Veeam Data Cloud products. You’ll use Burp Suite and modern web/API testing techniques to find real, exploitable issues, help prioritize risk, and work with engineering teams to drive fixes to completion.

You will also improve testing tools and processes, make testing more repeatable, and help teams prevent recurring vulnerabilities—especially around authentication, authorization, session management, and tenant isolation.

What You’ll Do

• Own offensive testing: plan what to test, how deep to go, and how often; create clear, consistent reports and reusable playbooks
• Perform manual pentesting (main focus): test web apps and APIs, especially authentication/authorization, multi-tenant boundaries, and critical workflows; chain issues into realistic attack paths
• Use Burp Suite daily: validate and reproduce findings with advanced Burp features; build and maintain repeatable scopes, macros, and authenticated flows
• Run and improve DAST: execute and tune authenticated scans, reduce false positives, and work with CI/platform teams to scale scanning and manage credentials
• Drive remediation: deliver high-quality write-ups, partner with engineers to fix and retest, and help prevent regressions; ensure findings are tracked with the right severity and SLAs
• Improve security long-term: spot recurring patterns and help teams prevent them through standards, libraries, platform controls, and input to threat modeling/design reviews

What You’ll Bring

• Strong web and API pentesting experience, especially in authorization (IDOR/BOLA, privilege escalation, role/tenant boundaries), authentication/session flows (tokens, identity integrations), and common vulnerabilities (injection, SSRF, deserialization, misconfigurations) with practical exploitation skills
• Advanced Burp Suite skills: manual validation, targeted fuzzing, authenticated testing, and workflow automation (extensions/macros)
• Experience writing Semgrep rules to detect insecure patterns and improve secure-by-default development
• DAST experience at scale: running or supporting authenticated scans, tuning coverage, and reducing false positives
• Clear written communication: concise PoCs and actionable remediation guidance for engineers

Bonus Skills

• SaaS multi-tenant security testing experience; OAuth2/OIDC/SAML depth; bug bounty triage; writing custom tooling or Burp extensions

What You’ll Get 

• 26 paid days off annually, plus 4 extra global VeeaMe Days for self-care and 24 paid volunteer hours annually through Veeam Cares
• Paid parental, maternity, and paternity leave
• Fully covered family medical plan, dental, rehab, and vaccinations
• Life, critical illness, and disability insurance
• Employer pension contribution via PPK
• Monthly Edenred allowance of 450 PLN for meals
• MultiSport card fully covered by Veeam, giving access to sports facilities nationwide
• Up to 12 free therapy sessions annually, plus legal and financial advice
• Opportunities to learn and grow through on-demand libraries (LinkedIn Learning, O’Reilly), mentoring, workshops and learning events like our annual Global Day of Learning

Please note: If the applicant is permanently present outside of Poland, Veeam reserves the right to refuse to consider the application for a job. Remote job is only possible in case the employee is located in Poland.

#LI-GD1
#Hybrid