Key skills
Application Security EngineeringAWS Security ConfigurationsThreat ModelingSAST/SCA Tool ProficiencyContainer SecurityAutomation ScriptingSecurity Architecture PatternsCommunicationPythonBashPowerShellAWSKubernetesDockerEKSEC2RDSIAMCI/CDOWASP
About this role
OnePay is a consumer fintech trusted by millions of Americans to enhance their financial experience. The Application Security Engineer will play a crucial role in safeguarding the platform by designing secure architectures and embedding automated threat detection, ensuring compliance with rigorous standards.
Responsibilities:
- Perform secure code reviews and static/dynamic analysis; oversee remediation with dev teams
- Conduct threat modeling sessions and risk‑driven design reviews early in development
- Automate repetitive security tasks—vulnerability triage, code scanning, tool orchestration
- Build and extend in-house AppSec automation frameworks or pentest tooling
- Architect and implement secure AWS configurations (IAM roles/policies, encryption keys, VPC segmentation)
- Embed security into CI/CD pipelines and repos using policy-as-code tools (pre-commit hooks, SAST/SCA, IDE tool integrations)
- Secure container and orchestration environments (EKS, Kubernetes, Docker) per best practices
- Partner with security architecture and detection teams (SIEM tuning, logging, telemetry alignment)
- Develop and enforce AppSec standards and patterns across product teams; iterate through feedback loops
- Support regulatory or compliance assessments (PCI, CCPA, GLBA) as needed
Requirements:
- 8–12 years' experience in application security engineering, DevSecOps, or security platform engineering
- Solid threat modeling and secure code review skills; SAST/SCA tool proficiency
- Experience scripting automation (e.g. Python, Bash, PowerShell) to streamline AppSec tasks
- Capability to lead in-house AppSec frameworks or tooling development
- Deep familiarity with CVSS, MITRE ATT&CK frameworks, OWASP Top 10 and CWE taxonomy
- Proven experience with AWS core services: IAM, KMS, VPC, EC2, RDS, EKS
- Hands-on expertise in securing IaC and CI/CD pipelines; strong knowledge of policy-as-code tooling
- Container security experience: Docker, Kubernetes, EKS-related threat surfaces
- Strong communicator, able to translate technical findings to non-technical stakeholders
- Track record of defining and institutionalizing security architecture patterns