Security Architecture Engineer, STORM

STORM (Security Threat Operations & Response Management) is Asana's security operations organization, made up of red and blue team specialists focused on protecting Asana's employees, users, and customers. We proactively address threats, embed security across the product lifecycle, and partner closely with Asana's broader R&D and engineering teams to make security-by-design the norm. We are looking for a collaborative, analytical Security Architecture Engineer to join our team in Warsaw to solve complex design challenges and scale our architectural security defenses.

This role is based in our Warsaw office with an office-centric hybrid schedule. The standard in-office days are Monday, Tuesday, and Thursday. Most Asanas have the option to work from home on Wednesdays. Working from home on Fridays depends on the type of work you do and the teams with which you partner. If you're interviewing for this role, your recruiter will share more about the in-office requirements.

We offer a Contract of Employment (UoP) for our employees in Poland.

What you’ll achieve

Security Design Review & Threat Modelling: Lead architecture reviews and structured threat modelling (such as STRIDE, OWASP Threat Dragon, and MITRE ATT&CK) for new and in-flight projects to identify risk early and produce actionable guidance before code is written.

Code & Data Flow Analysis: Conduct security-focused code reviews and analyze data flows across services, APIs, and integrations to identify trust boundaries and attack surface reduction opportunities.

Defensive Engineering Recommendations: Translate threat model findings into concrete engineering recommendations and feed architectural weaknesses to STORM’s red team for proactive adversary emulation planning.

Architecture Standards & Frameworks: Build and mature Asana’s security architecture review process and define standards aligned to industry best practices like NIST 800-53, FedRAMP, ISO 27001, and OWASP ASVS.

Security Pattern Library: Develo