Security Architecture Engineer, STORM

STORM (Security Threat Operations & Response Management) is Asana's security operations organization, made up of red and blue team specialists focused on protecting Asana's employees, users, and customers . We proactively address threats, embed security across the product lifecycle, and partner closely with Asana's broader R&D and engineering teams to make security-by-design the norm . We are looking for a collaborative, analytical Security Architecture Engineer to join our team in Warsaw to solve complex design challenges and scale our architectural security defenses .

This role is based in our Warsaw offi ce with an office-centric hybrid schedule . The standard in-office days are Monday, Tuesday, and Thursday . Most Asanas have the option to work from home on Wednesdays . Working from home on Frida ys depends on the type of work you do and the teams with which you partner . If you're interview ing for this role, your recruiter will share more about the in-office requirements .

We offer a Contract of Employment (UoP) for our employees in Poland .

What you’ll achieve

Security Design Review & Threat Modelling: Lead architecture reviews and structured threat modelling (such as STRIDE, OWASP Threat Dragon, and MITRE ATT&CK) for new and in-flight projects to identify risk early and produce actionable guidance before code is written .

Code & Data Flow Analysis: Conduct security-focused code reviews and analyze data flows across services, APIs, and integrations to identify trust boundaries and attack surface reduction opportunities .

Defensive Engineering Recommendations: Translate threat model findings into concrete engineering recommendations and feed architectural weaknesses to STORM’s red team for proactive adversary emulation planning .

Architecture Standards & Frameworks: Build and mature Asana’s security architecture review process and define standards aligned to industry best practices like NIST 800-53, FedRAMP, ISO 27001, and OWASP ASVS .

Security Pattern Library: Develop and maintain a reusable security pattern library for authentication, authorization, encryption, API security, and data handling that engineering teams can adopt directly .

AI Security Architecture: Evaluate AI tooling and integrations using industry standards (such as OWASP Maestro and OWASP Top 10 for LLMs), assessing risks including prompt injection, model misuse, data leakage, and supply chain exposure .

AI Governance: Develop governance practices for AI-augmented development workflows and stay current with the evolving AI security landscape .

Security Artifact Advocacy: Champion security-by-design by driving organizational adoption of architecture diagrams, data flow diagrams, and threat models as first-class engineering artefacts .

Training & Culture: Deliver highly technical training and workshops to engineering and product teams, making the secure choice the path of least resist