Security Architect

Asana is the work management platform for human + AI collaboration. It helps organizations bring people, processes, and AI together to plan, track, and deliver work with clarity and speed. Powered by the Work Graph®, Asana provides teams with context and control to stay aligned, keep work moving, and scale impact. More than 170,000 organizations, including Accenture, Amazon, Anthropic, Morningstar, and Suzuki, use Asana for their critical work.

• 7+ years of progressive experience in security roles focusing on security architecture, application security, or high-scale design reviews.
• Hands-on proficiency with threat modeling methodologies (STRIDE/PASTA, OWASP Threat Dragon) and MITRE ATT&CK framework at the TTP level.
• Competency in security-focused code reviews across Python, Go, Java, or TypeScript.
• Deep knowledge of compliance frameworks including NIST 800-53, FedRAMP, ISO 27001, OWASP ASVS, and AWS Well-Architected Security pillar.
• Strong understanding of authentication/authorization mechanisms (OAuth 2.0, OIDC, SAML, SSO) and container infrastructure security (Kubernetes RBAC, pod security, network policies, secrets management).
• Proven ability to translate complex architectural risks into clear, pragmatic guidance for engineers and senior stakeholders.

Nice to have:

• Familiarity with emerging AI security standards such as OWASP Top 10 for LLMs, OWASP Maestro, or securing multi-tenant SaaS platforms.
• Curiosity about AI tools and emerging technologies with willingness to learn and leverage them to enhance productivity, collaboration, or decision-making.

• Lead security design reviews and structured threat modeling (STRIDE, OWASP Threat Dragon, MITRE ATT&CK) for projects to identify risks early and provide guidance before coding.
• Conduct security-focused code reviews and analyze data flows across services, APIs, and integrations to identify trust boundaries and reduce attack surfaces.
• Translate threat model findings into engineering recommendations and provide architectural weaknesses to the red team for adversary emulation.
• Build and mature Asana’s security architecture review process and define standards aligned with NIST 800-53, FedRAMP, ISO 27001, and OWASP ASVS.
• Develop and maintain a reusable security pattern library for authentication, authorization, encryption, API security, and data handling.
• Evaluate AI tooling and integrations using industry standards (OWASP Maestro, OWASP Top 10 for LLMs), assessing risks such as prompt injection, model misuse, data leakage, and supply chain exposure.
• Develop governance practices for AI-augmented development workflows and stay current with evolving AI security landscape.