Security Architecture Engineer, STORM

STORM (Security Threat Operations & Response Management) is Asana's security operations organization, made up of red and blue team specialists focused on protecting Asana's employees, users, and customers. We proactively address threats, embed security across the product lifecycle, and partner closely with Asana's broader R&D and engineering teams to make security-by-design the norm. We are looking for a collaborative, analytical Security Architecture Engineer to join our team in Warsaw to solve complex design challenges and scale our architectural security defenses.

This role is based in our Warsaw office with an office-centric hybrid schedule. The standard in-office days are Monday, Tuesday, and Thursday. Most Asanas have the option to work from home on Wednesdays. Working from home on Fridays depends on the type of work you do and the teams with which you partner. If you're interviewing for this role, your recruiter will share more about the in-office requirements.

We offer a Contract of Employment (UoP) for our employees in Poland.

What you’ll achieve

• Security Design Review & Threat Modelling: Lead architecture reviews and structured threat modelling (such as STRIDE, OWASP Threat Dragon, and MITRE ATT&CK) for new and in-flight projects to identify risk early and produce actionable guidance before code is written.

• Code & Data Flow Analysis: Conduct security-focused code reviews and analyze data flows across services, APIs, and integrations to identify trust boundaries and attack surface reduction opportunities.

• Defensive Engineering Recommendations: Translate threat model findings into concrete engineering recommendations and feed architectural weaknesses to STORM’s red team for proactive adversary emulation planning.

• Architecture Standards & Frameworks: Build and mature Asana’s security architecture review process and define standards aligned to industry best practices like NIST 800-53, FedRAMP, ISO 27001, and OWASP ASVS.

• Security Pattern Library: Develop and maintain a reusable security pattern library for authentication, authorization, encryption, API security, and data handling that engineering teams can adopt directly.

• AI Security Architecture: Evaluate AI tooling and integrations using industry standards (such as OWASP Maestro and OWASP Top 10 for LLMs), assessing risks including prompt injection, model misuse, data leakage, and supply chain exposure.

• AI Governance: Develop governance practices for AI-augmented development workflows and stay current with the evolving AI security landscape.

• Security Artifact Advocacy: Champion security-by-design by driving organizational adoption of architecture diagrams, data flow diagrams, and threat models as first-class engineering artefacts.

• Training & Culture: Deliver highly technical training and workshops to engineering and product teams, making the secure choice the path of least resistance across the organization.

About you

• 7+ years of progressive experience in security roles, with a focus on security architecture, application security, or high-scale design reviews.

• Hands-on proficiency with threat modelling methodologies (STRIDE/PASTA, OWASP Threat Dragon) and the MITRE ATT&CK framework at the TTP level.

• Competency conducting security-focused code reviews across modern languages, including Python, Go, Java, or TypeScript.

• Deep functional knowledge of compliance frameworks and baselines, including NIST 800-53, FedRAMP, ISO 27001, OWASP ASVS, and the AWS Well-Architected Security pillar.

• Strong understanding of authentication/authorisation mechanisms (OAuth 2.0, OIDC, SAML, SSO) and container infrastructure security (Kubernetes RBAC, pod security, network policies, and secrets management).

• Familiarity with emerging AI security standards, specifically the OWASP Top 10 for LLMs, OWASP Maestro, or securing multi-tenant SaaS platforms.

• Demonstrated track record of translating complex architectural risks into clear, pragmatic guidance for engineers and senior stakeholders.

• Proven ability to build security review processes from low maturity and shift engineering culture through influence and collaboration.

• Strong technical writing skills with experience producing architectural diagrams, threat models, and clean documentation that teams reference daily.

• Demonstrates curiosity about AI tools and emerging technologies, with a willingness to learn and leverage them to enhance productivity, collaboration, or decision-making.

At Asana, we're committed to building teams that include a variety of backgrounds, perspectives, and skills, as this is critical to helping us achieve our mission. If you're interested in this role and don't meet every listed requirement, we still encourage you to apply.

What we’ll offer

• Generous, transparent and fair compensation system (base salary and RSUs).

• Contract of Employment (and the option of 50% tax deductible costs for author’s rights usage in respect of applicable roles).

• Health insurance with dental and travel coverage (Lux Med).

• Breakfast and lunch catering on the days that you work from the office.

• Vacation allowance.

• Career growth budget.

• Home office setup budget.

• Gym/Fitness card.

• Fertility healthcare and family-forming support with Carrot.

• Mental Health Support in Modern Health.

• Group life insurance.

• MacBooks with all necessary accessories.

For this role, the estimated base salary range is between 31,900 - 36,000 PLN PLN gross per month (subject to all taxes and necessary deductions) The actual base salary will vary based on various factors, including market and individual qualifications objectively assessed during the interview process. The listed range above is a guideline, and the base salary range for this role may be modified. In addition to base salary, your compensation package may include additional components such as equity and benefits. If you're interviewing for this role, speak with your recruiter to learn more about the total compensation and benefits for this role.

#LI-Hybrid