Application Security Engineer

  • GoCardless
  • London, UK
  • Jun 12, 2019
Full time Developer Security

Job Description

We're looking for amazing security engineers to join our team and continue to build a secure GoCardless. We're operating in the dynamic environment of FinTech, so Security is something we take very seriously. We take this as an opportunity to create and implement state of the art measures to minimise exposures and vulnerabilities.

As an App Security engineer, you will play a key role in ensuring GoCardless teams are taking all required steps in building a secure product set including application penetration testing, threat modelling, design reviews, developing our internal tooling and procedures.

Whether you are engineering a system to address a technical security hurdle, protecting our customers' data, or consulting on a wide range of security topics, you are empowered to engage and lead across business units. You will be working alongside our Product Managers and audit specialists to design and implement measures that will keep GoCardless' platform secure.

We work closely with our engineering teams whom are building simple and reliable solutions to complex problems. We keep our development cycles fast, by reviewing and adapting our plans frequently and by investing in a culture of continuous feedback.

We're primarily built in Ruby and JavaScript using Rails, and we rely on Postgres, ElasticSearch, GCP and Chef. However, we believe in using the best technologies for each task – we have used React where server rendering is needed, Go for our infrastructure, and Python for our data analysis.

What you'll do

  • Implement measures to secure and protect the GoCardless products and systems.
  • Perform design reviews and Threat modelling of GoCardless services and products
  • Perform vulnerability assessments and security testing (we'll expect you to already know the type of security vulnerabilities a company like ours faces)
  • Providing subject matter expertise on all areas of security and privacy throughout the Software Development lifecycle
  • Working with development teams for design, code reviews & education continually seeking to shift left
  • Participate in cross-team security initiatives
  • Contribute in the formulation of our security strategy
  • Drive the implementation and dissemination of security critical metrics.
  • Automating and continually improving our approaches through development of tooling and procedures

What you'll need

  • STEM degree or related field, or equivalent work experience.
  • Experience in vulnerability testing and auditing techniques
  • Hands on experience with scripting and proficiency in programming
  • Strong analytical and reasoning skills
  • A proven and strong depth of expertise in security engineering, system and network security, authentication and security protocols, cryptography and application security, with hands-on experience in web applications for critical 24/7 services
  • A proven understanding of web application security and security architecture applying defence in depth
  • Able to use and interpret the results from software tools and security testing tooling such as NMap, Nessus, dig, MITM proxies, wireshark.
  • Can conduct penetration testing / vulnerability assessment on networks, applications within both traditional environments and cloud services, vulnerability assessment, web application testing for OWASP top 10 vulnerabilities.

Not essential, but nice to have

  • Computer Science degree, or equivalent experience.
  • Fluency in one or more of: Ruby, Python, or Go
  • Experience of security in a DevOps environment is preferred and/or experience of Agile methodologies (e.g. Scrum, Kanban)
  • Experience in multiple programming languages (especially scripting languages such as Python, Ruby, Perl, etc)
  • A comprehensive knowledge of Web application security
  • Experience in security tooling (Burp proxy, Web/Network Scanners, Static code analysers, etc.) and its integration into the company systems.
  • Experience in cloud services such as GCP and AWS
  • Sound knowledge of the OWASP Top 10 and how they can be prevented
  • Knowledge of the latest industry threats
  • Experience of performing security design reviews, threat modelling and risk assessments
  • Professional security qualifications are desirable (e.g. CISSP, Offensive Security, Sans Institute, etc.)
  • Awareness and experience of the Data Protection Act, ISO 27001 and PCI-DSS

You should apply if:

  • You're passionate about security and technology
  • You care deeply about building reliable, well-tested and secure systems
  • You enjoy solving problems and automating responses for recurrent issues
  • You thrive in a culture of code review
  • You enjoy working in a diverse company that welcomes fresh thinking