Partnership: Unlike traditional security teams, our team acts as a strategic partner to Engineering. We are not a “toll booth” that blocks releases, but consultants who help squads ship secure products quickly.
Influence and Visibility: The AppSec professional at Creditas has direct exposure to Product and Engineering teams. They participate in the design phase of solutions.
High-Performance, Collaborative Environment: “We run together.” The team is known for intense knowledge sharing. A senior analyst here is not isolated; they mentor, learn from other sub-areas (Cloud, GRC) and grow in a cutting-edge proprietary technology environment.
Hybrid work requirement: Must attend our office in the Morumbi area of São Paulo once a month for 4 consecutive days, usually in the last or first week of the month (Creditas in Person).

Responsible for executing the Application Security strategy, ensuring Creditas’ software development lifecycle (SDLC) is resilient, scalable, and secure. This professional will:
Lead the AppSec program: Define and implement security controls across the development lifecycle, from design to deployment.
Threat Modeling: Facilitate sessions with product squads to identify architectural risks before implementation.
Code Vulnerability Management: Manage and optimize SAST, DAST, and SCA (dependency analysis) tools, ensuring findings are prioritized based on actual business risk.
Security Champions Culture: Implement and maintain technical awareness programs, empowering developers to act as the first line of defense.
Critical Architecture Review: Validate new designs and API integrations, ensuring compliance with frameworks such as OWASP ASVS and internal standards.
Vulnerability Lifecycle Management: Manage the remediation flow with engineering teams, addressing root causes rather than symptoms.
Technical and Business Interface: Serve as the focal point to translate technical security risks into business impacts for Product Owners and stakeholders.
Security Automation: Define and maintain indicators (remediation SLAs, defect density) and automate security validations within CI/CD pipelines.

Health plan (Alice)
Dental plan (SulAmérica)
Wellz: 100% free therapy sessions
Wellhub: access to gyms and studios
Creditas Endurance: program to encourage high-impact sports
Pharmacy discounts (Univers)
Life insurance (Porto Seguro)
Birthday day off
Extended parental leave: 6 months for birthing parents and 35 days for non-birthing parents
Family Care: support program for new parents
Childcare allowance
Allowance for dependents with disabilities (PWDs)
SESC: access to SESC units for you and your dependents
Meal voucher (VR): flexible benefits card (Creditas Card)
Payroll-deductible loans (Creditas Benefits)
Salary advance (Creditas Benefits)
Discounts on insurance (Minuto Seguros)
Access to exclusive financial education content in the Creditas app
PPR: profit-sharing program
Educational and professional development incentives
Flexible work model
Free bike parking at the office
Contracted parking at the office (subject to internal availability)

Senior Security Engineer – AppSec

Key skills