Application Security Engineer

Responsibilities

• Product Security Ownership: Take end-to-end ownership of the security of our web and mobile applications, built with technologies like React and Flutter.
• Application Penetration Testing: Conduct regular and in-depth penetration testing of our web and mobile applications to identify and remediate vulnerabilities.
• Secure SDLC & DevSecOps: Champion and integrate security seamlessly into the entire DevOps deployment process. Design, implement, and manage a robust DevSecOps pipeline, automating security testing (SAST, DAST, IAST, SCA) to provide fast feedback to developers.
• Mobile Application Security: Implement and enforce security best practices for our Flutter and React-based mobile applications, including secure data storage, secure network communication, and code obfuscation.
• Threat Modelling: Conduct threat modelling exercises to identify potential security risks and design effective mitigation strategies.
• Security Champion and Advocate: Act as the go-to person for all application security matters. Mentor and train developers on secure coding practices and create a strong security-aware culture within the engineering team.
• Incident Response: Develop and maintain an incident response plan for application security incidents. Lead the response to any security breaches, conduct post-mortem analysis, and implement corrective actions.
• Vulnerability Management: Manage the lifecycle of identified vulnerabilities, from discovery to remediation, ensuring timely patching and reporting.
  

Requirements

• Experience: 3-5 years of relevant experience in application security, with a proven track record in a fast-paced environment. Experience in regulated sectors (like finance or fintech) is highly welcome.
• Penetration Testing: Extensive hands-on experience in both manual and automated penetration testing of web and mobile applications.
• Application Architecture: Strong understanding of application architecture principles and the ability to identify security flaws at the design level.
• Cloud Security (AWS): In-depth knowledge of AWS security services and best practices. Hands-on experience with CSPM and CWPP tools is a must.
• DevSecOps: Proven experience in building and managing a DevSecOps pipeline, with a deep understanding of the DevOps deployment process and how to effectively embed security controls within CI/CD workflows.
• Mobile Security: Demonstrable experience in securing mobile applications, particularly those built with Flutter and React.
• Programming and Scripting: Proficiency in at least one scripting language (e. g., Python, Bash) for automation and a good understanding of the languages used in our stack (e. g., JavaScript, Dart).
• Security Tools: Hands-on experience with a variety of security tools for SAST, DAST, SCA, and infrastructure scanning.
• Certifications: Professional security certifications are preferred, in the following order: Certified Ethical Hacker (CEH), Offensive Security Certified Professional (OSCP), Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM).
• Communication: Excellent communication and interpersonal skills, with the ability to articulate complex security concepts to both technical and non-technical audiences.