MoonPay is a unified payments platform for digital currency, aiming to simplify the process of buying, selling, and using digital currencies. They are seeking a Senior Application Security Engineer to enhance their security systems through rigorous reviews, penetration testing, and fostering a secure development culture across engineering teams.
Responsibilities:
- Conduct threat modelling reviews of Technical Design Documents (TDDs) for new and existing features, providing clear, actionable security recommendations early in the design process
- Perform and support application security assessments, including penetration testing, vulnerability assessments, and proof-of-concept (PoC) development where appropriate
- Investigate, triage, and respond to Bug Bounty program submissions, validating findings and working with engineering teams to drive timely remediation
- Own and continuously improve application-layer protections, including managing and tuning Cloudflare WAF and related security controls
- Partner closely with engineering teams to embed security best practices throughout the SDLC, from design and development through deployment and maintenance
- Research and track emerging threats and vulnerabilities, translating findings into practical mitigation strategies relevant to our technology stack
- Develop and deliver security guidance, training, and awareness for engineering teams to raise the overall security maturity of the organization
- Contribute to the creation, maintenance, and evolution of security standards, processes, and documentation
- Participate in and eventually lead incident response activities, supporting investigation, containment, remediation, and post-incident improvements
Requirements:
- You have developed a breadth of experience across multiple security domains, including web and mobile application security, infrastructure and cloud security, and can connect these areas to drive a holistic security approach
- You have hands-on experience performing white-box, source code-assisted web and mobile application penetration testing, from vulnerability discovery through triage and exploitation
- You have the ability to read, understand, and review source code to identify security issues, with ideally, a particular focus on JavaScript and TypeScript codebases
- You have a strong understanding of Threat Modelling principles and their practical application to the secure software development lifecycle (SDLC)
- You have experience working with web application firewalls to help protect applications, assess coverage, and support tuning rules to mitigate common attack patterns
- You have experience embedding application security practices into CI/CD pipelines, enabling early detection of vulnerabilities and close collaboration with engineering teams throughout the development lifecycle
- You have collaborated closely with engineering teams to clearly communicate security findings, explain vulnerabilities, attack paths, and mitigations, and support the implementation of effective fixes for both technical and non-technical audiences
- You are self-motivated, proactive, and take strong ownership of your work, operating effectively in a remote environment while maintaining a collaborative, team-focused mindset
- You have experience in JavaScript and TypeScript, including the ability to read, understand, and reason about modern web application codebases
- You have experience working with Cloudflare, including its hosting and Web Application Firewall (WAF) capabilities, to help secure and operate internet-facing applications
- You have experience testing and securing GraphQL, REST APIs, including understanding common GraphQL/REST-specific attack vectors and security considerations
- You have experience or a strong interest in Web3 security testing, including assessing smart contracts, blockchain-based applications, or Web3 integrations
- You have an interest in agentic engineering, including emerging patterns in autonomous systems, tooling, or workflows, and their security implications