Key skills
AndroidCloudiOSKubernetesPythonSDLCBashAILLMServerlessIAMOAuthJWTLeadershipCommunicationSnykCheckmarxOWASP
About this role
Role Overview
- Embed security into the SDLC by partnering with Engineering to implement secure design patterns, conduct threat modeling, and deliver developer-focused AppSec training
- Lead and perform application security assessments including SAST, DAST, SCA, and manual code review across web, mobile, and API surfaces
- Drive API security across internal and external services — including authentication, authorization, rate limiting, and abuse prevention controls
- Own and mature the vulnerability management program, including prioritization frameworks, SLA tracking, and cross-functional remediation coordination
- Champion software supply chain security initiatives, including SBOM generation, dependency risk analysis, and third-party component vetting
- Assist GRC with technical third-party risk reviews and vendor security assessments
- Respond to and lead security incidents in a measured, programmatic, and timely manner — from identification through post-incident review
- Implement and iterate on security automation and orchestration to improve detection, response, and coverage at scale
- Implement, monitor, and continuously improve security controls across cloud infrastructure, endpoints, and the product
- Assess and mitigate AI-specific security risks across Branch's use of LLMs and AI-powered features, including prompt injection, model abuse, and insecure output handling
Requirements
- 5–7 years of experience in a security engineering or application security role, ideally within a fintech or high-growth startup environment
- Strong communication skills — able to translate technical risk clearly for both engineering audiences and senior leadership
- Hands-on SAST/DAST experience; familiarity with tools such as Semgrep, Snyk, Checkmarx, Burp Suite Pro, or equivalents
- Demonstrated ability to independently work security incidents end-to-end — including malware, phishing, DLP events, and API abuse
- Experience securing cloud-native environments, including IAM, container/Kubernetes workloads, and serverless functions
- Solid working knowledge of API security standards (OWASP API Top 10, OAuth 2.0/OIDC, JWT hardening)
- Experience with mobile application security testing (iOS/Android) is a plus
- Familiarity with security frameworks including SOC 2, PCI-DSS, NIST CSF, and OWASP SAMM
- Scripting proficiency in Python and/or Bash for automation and tooling; experience with security orchestration platforms (e.g., Tines, XSOAR, Torq) is a plus
- Strong ethics and discretion — this role regularly handles confidential and sensitive information
- Familiarity with AI/LLM security risks and emerging standards (OWASP LLM Top 10, MITRE ATLAS) — including prompt injection, data leakage through model outputs, and supply chain risks introduced by third-party AI services
- Security certifications a plus (OSCP, GWEB, CISSP, SANS GWAPT, etc.)
Tech Stack
- Android
- Cloud
- iOS
- Kubernetes
- Python
- SDLC
Benefits
- Market-leading medical, dental, and vision insurance
- Stock options
- Free Premium-Tier Origin Financial Wellness subscription
- Monthly home-office stipend
- 401k (TransAmerica)
- 12-weeks paid parental leave for birthing and non-birthing parents
- Flexible time off + sick and safe time
- 11 paid company holidays