Description:

As an Application Security Engineer, you will be responsible for ensuring that One delivers secure and reliable applications at scale.
You will partner with engineers to build security into the product from the ground up and create engineering tools and workflows that test and validate artifacts.
Your role includes developing security frameworks and providing subject-matter expertise to product teams regarding security best practices.
You will optimize secure coding practices and use offensive security techniques to harden the environment and improve overall security practices.
Responsibilities include guiding the development of applications through the Secure Development Lifecycle (SDLC) process, performing SAST/DAST and penetration testing, and maintaining an automated testing framework.
You will develop safe libraries, harden existing libraries, enforce SDLC practices via Infrastructure-As-Code (IaC) policies, and validate the security posture of new features.
You will triage and validate security vulnerabilities, train engineers on secure coding practices, contribute to application threat models, and maintain awareness of known vulnerabilities.
Collaboration with Security and engineering teams to maintain a security architecture that mitigates risk and meets regulatory requirements is essential.
You will provide expertise around code-level security concerns during product development.

Requirements:

You must have 4+ years of experience in security engineering, DevSecOps, and application development.
Excellent knowledge of CVSS, MITRE ATT&CK, and OWASP Top 10 is required.
Proficiency in TypeScript is necessary.
A practical understanding of AWS and its core services (VPC, EC2, RDS) is essential.
You should have demonstrated experience in modern application architecture and deployment practices.
Experience with Library/API/Framework development is required.
You must have experience integrating security scanning tools with CI/CD, Web Application pentesting, fuzzing, and DAST.
Expertise in verifying and measuring common security vulnerabilities and the ability to communicate these concepts to both technical and non-technical partners is necessary.
Exposure to technologies such as AWS, iOS, Android, Vault, Kubernetes, PKI, React, GraphQL, and Datadog is preferred.
Knowledge of cryptography, including algorithms and standards, is required.
Experience defining security architecture patterns and standards is necessary.
Proficiency in modern security evaluation tooling (Burp, Wireshark, Kali, etc.) is essential.
Understanding of regulatory compliance concerns (GLBA, CCPA, PCI) is preferred.
You should embody the Triple H Factor: Humble, Hungry, and Honest.

You will receive competitive cash compensation.
Benefits are effective on day one of employment.
You will have early access to a high potential, high growth fintech.
Generous stock option packages are available in this early-stage startup.
The position is remote-friendly (anywhere in the US) and office-friendly, allowing you to choose your schedule.
Flexible time off programs include vacation, sick leave, paid parental leave, and paid caregiver leave.
A 401(k) plan with a match is offered.