Application Security Engineer bei Quantifi
Quantifi · New York, Vereinigte Staaten Von Amerika · Onsite
- Professional
- Optionales Büro in New York
- Patch real-time security vulnerabilities directly in the codebase using languages like C#, C++, Python, Java, or JavaScript
- Develop, implement, and maintain secure coding libraries and frameworks that developers can leverage to build secure-by-default applications, effectively eliminating entire classes of vulnerabilities (e.g., custom authentication libraries, secure data handlers).
- Perform root cause analysis (RCA) on identified vulnerabilities, not only patching the immediate issue but also identifying and fixing systemic weaknesses in the codebase and development patterns.
- Act as a key security stakeholder in architectural design reviews, providing expert guidance on topics such as cryptography, authentication/authorization services, REST APIs, network security, and data protection.
- Define and enforce non-functional security requirements (NFSRs) for all new development, ensuring that security is a core consideration alongside performance and reliability.
- Create security tooling for continuous integration pipelines to detect, block, and remediate issues (e.g., secrets detection, SAST, software composition analysis).
- Develop internal tools to streamline compliance with regulatory requirements (e.g. SOC2).
- Scope, manage, and validate the findings from third-party penetration tests, translating external reports into actionable internal tickets and verifying the effectiveness of fixes.
- Perform deep-dive, manual application security assessments on critical applications, APIs, and services, simulating real-world attack scenarios that automated tools cannot detect.
- Develop and maintain runbooks and procedures for responding to application-specific security incidents, ensuring a swift and effective response.
- Act as the primary technical resource for triaging, validating, and prioritizing vulnerabilities identified through automated scans, manual penetration testing, and external bug bounty programs.
- Partner directly with development teams to provide concrete, code-level remediation guidance.
- Manage the vulnerability lifecycle, from discovery to closure, ensuring that risks are addressed in accordance with internal SLAs and risk appetite.
- 3-5+ years of dedicated, hands-on experience in an Application Security or related software security engineering role.
- Bachelor’s degree in computer science, Information Security, or a related technical field.
- Ability to articulate complex technical security concepts to both technical engineers and non-technical business stakeholders.
- Strong proficiency in software development with at least one modern language used in fintech (e.g., C#, Python, Java, C++), coupled with a deep understanding of application architecture, including microservices, REST APIs, and event-driven systems.
- Hands-on experience deploying, configuring, and interpreting results from a range of security tools.
- Demonstrated expertise in manual secure code review, threat modeling, and implementing a secure SDLC. You must be able to identify common vulnerabilities (e.g., XSS, SQLi, SSRF, insecure deserialization) in code and recommend specific, effective mitigations.
- Possession of certifications is highly desirable (e.g., CISSP, CSSLP, GIAC, GWAPT, OSCP, CASE.)
- Experience securing applications within a major cloud provider (AWS, Azure, GCP) and familiarity with container security (Docker, Kubernetes) and Infrastructure as Code (IaC) security (Terraform).
- You will be working with a talented team of engineers on challenging problems in an entrepreneurial, supportive and collaborative environment
- You will be in a firm that values employee development and will be provided with ample guidance, training and support
- You will have the opportunity to learn from senior staff as well as our clients that include some of the most sophisticated financial firms
- You will be working on the latest technology in a firm that thrives on innovation