Application Security Engineer

United Kingdom - Remote•Portugal - Remote•Spain - Remote•South Africa - Remote

Remote

Senior

Full Time

30 days ago

remoteequitysecuritypenetration testingblockchaincryptoweb3cloudflareapplication security

Requirements

•Developed a breadth of experience across multiple security domains, including web and mobile application security, infrastructure and cloud security
•Hands-on experience performing white-box, source code-assisted web and mobile application penetration testing, from vulnerability discovery through triage and exploitation
•Ability to read, understand, and review source code to identify security issues, with a focus on JavaScript and TypeScript codebases
•Strong understanding of Threat Modelling principles and their practical application to the secure software development lifecycle (SDLC)
•Experience working with web application firewalls to help protect applications, assess coverage, and support tuning rules to mitigate common attack patterns
•Experience embedding application security practices into CI/CD pipelines
•Experience collaborating closely with engineering teams to communicate security findings and support implementation of fixes
•Self-motivated, proactive, and takes strong ownership of work, operating effectively in a remote environment

•Conduct threat modelling reviews of Technical Design Documents (TDDs) for new and existing features, providing clear, actionable security recommendations early in the design process
•Perform and support application security assessments, including penetration testing, vulnerability assessments, and proof-of-concept (PoC) development where appropriate
•Investigate, triage, and respond to Bug Bounty program submissions, validating findings and working with engineering teams to drive timely remediation
•Own and continuously improve application-layer protections, including managing and tuning Cloudflare WAF and related security controls
•Partner closely with engineering teams to embed security best practices throughout the SDLC, from design and development through deployment and maintenance
•Research and track emerging threats and vulnerabilities, translating findings into practical mitigation strategies relevant to our technology stack
•Develop and deliver security guidance, training, and awareness for engineering teams to raise the overall security maturity of the organization
•Contribute to the creation, maintenance, and evolution of security standards, processes, and documentation
•Participate in and eventually lead incident response activities, supporting investigation, containment, remediation, and post-incident improvements

•Experience in JavaScript and TypeScript, including ability to read and reason about modern web application codebases
•Experience working with Cloudflare, including hosting and Web Application Firewall (WAF) capabilities
•Experience testing and securing GraphQL, REST APIs, including understanding common attack vectors and security considerations
•Experience or strong interest in Web3 security testing, including smart contracts, blockchain-based applications, or Web3 integrations
•Interest in agentic engineering, including emerging patterns in autonomous systems, tooling, or workflows, and their security implications
•Contributed to the security community through open source involvement, participation in CTFs, or speaking at local information security meetups and conferences
•Experience working with disruptive technologies and successfully launching products, ideally within FinTech, SaaS, or Crypto
•Holds one or more security relevant certifications such as OSCP or OSWE