Application Security Engineer bei Quantifi
Quantifi · New York, Vereinigte Staaten Von Amerika · Onsite
- Professional
- Optionales Büro in New York
Quantifi is seeking a dedicated Application Security Engineer to join our team full-time. In this role you’ll serve as the organization's primary authority on application security, providing pragmatic, risk-based guidance to engineering, product, and leadership on a wide range of security topics. You’ll Interface directly with clients and prospective clients to articulate our security posture, discuss our security controls and processes, and complete security questionnaires, thereby building trust and supporting the sales cycle.
Responsibilities
Development of Secure Code up to and Including the Writing of Code
- Patch real-time security vulnerabilities directly in the codebase using languages like C#, C++, Python, Java, or JavaScript
- Develop, implement, and maintain secure coding libraries and frameworks that developers can leverage to build secure-by-default applications, effectively eliminating entire classes of vulnerabilities (e.g., custom authentication libraries, secure data handlers).
- Perform root cause analysis (RCA) on identified vulnerabilities, not only patching the immediate issue but also identifying and fixing systemic weaknesses in the codebase and development patterns.
Collaborate with Product and Development
- Act as a key security stakeholder in architectural design reviews, providing expert guidance on topics such as cryptography, authentication/authorization services, REST APIs, network security, and data protection.
- Define and enforce non-functional security requirements (NFSRs) for all new development, ensuring that security is a core consideration alongside performance and reliability.
Build Security Automation
- Create security tooling for continuous integration pipelines to detect, block, and remediate issues (e.g., secrets detection, SAST, software composition analysis).
- Develop internal tools to streamline compliance with regulatory requirements (e.g. SOC2).
Security Testing and Incident Response
- Scope, manage, and validate the findings from third-party penetration tests, translating external reports into actionable internal tickets and verifying the effectiveness of fixes.
- Perform deep-dive, manual application security assessments on critical applications, APIs, and services, simulating real-world attack scenarios that automated tools cannot detect.
- Develop and maintain runbooks and procedures for responding to application-specific security incidents, ensuring a swift and effective response.
Hands-On Vulnerability Management & Remediation
- Act as the primary technical resource for triaging, validating, and prioritizing vulnerabilities identified through automated scans, manual penetration testing, and external bug bounty programs.
- Partner directly with development teams to provide concrete, code-level remediation guidance.
- Manage the vulnerability lifecycle, from discovery to closure, ensuring that risks are addressed in accordance with internal SLAs and risk appetite.
Required Qualifications and Skills:
- 3-5+ years of dedicated, hands-on experience in an Application Security or related software security engineering role.
- Bachelor’s degree in computer science, Information Security, or a related technical field.
- Ability to articulate complex technical security concepts to both technical engineers and non-technical business stakeholders.
- Strong proficiency in software development with at least one modern language used in fintech (e.g., C#, Python, Java, C++), coupled with a deep understanding of application architecture, including microservices, REST APIs, and event-driven systems.
- Hands-on experience deploying, configuring, and interpreting results from a range of security tools.
- Demonstrated expertise in manual secure code review, threat modeling, and implementing a secure SDLC. You must be able to identify common vulnerabilities (e.g., XSS, SQLi, SSRF, insecure deserialization) in code and recommend specific, effective mitigations.
- Possession of certifications is highly desirable (e.g., CISSP, CSSLP, GIAC, GWAPT, OSCP, CASE.)
- Experience securing applications within a major cloud provider (AWS, Azure, GCP) and familiarity with container security (Docker, Kubernetes) and Infrastructure as Code (IaC) security (Terraform).
Salary Range $120,000 - $140,000
What we offer:
- You will be working with a talented team of engineers on challenging problems in an entrepreneurial, supportive and collaborative environment
- You will be in a firm that values employee development and will be provided with ample guidance, training and support
- You will have the opportunity to learn from senior staff as well as our clients that include some of the most sophisticated financial firms
- You will be working on the latest technology in a firm that thrives on innovation
