Application Security Engineer

Position Overview: We are seeking an Application Security engineer to join our Cyber Team in Payoneer. In your role, you will be responsible for overall Application Security standards, guidelines, and requirements for the WFM organization (formally known as Skuad, acquired by Payoneer), aligning them to the Payoneer global application security policies and standards. Your expertise in secure architecture, design, and SSDLC will play a crucial role in ensuring the security of our products and the protection of our sensitive data. In addition, you will be serving as a Cyber Operations representative within your organization, helping the Payoneer global cyber security team in the overall policies and methodologies within your organization.

Responsibilities:

Secure SDLC Leadership: Lead and manage all aspects of the SSDLC, driving "shift-left" initiatives and secure-by-design principles to identify and remediate risks early in the development cycle.

Risk Assessment & Threat Modeling: Perform design reviews and threat modeling for product environments and third-party integrations, aligning security with business objectives and regulatory requirements, while training and empowering R&D teams to conduct their own threat modeling to ensure security is built-in from the start.

Security Controls Ownership: Oversee the implementation and management of security tools, scan policies, and vulnerability management processes to ensure consistent enforcement across the organization.

Offensive Security Management: Own the third-party penetration testing program and manage the bug bounty lifecycle, including vendor engagement, scheduling, and the validation and triage of findings.

Organizational Alignment: Partner with the Payoneer global Application Security and Cyber Operations teams to align local security posture with corporate policies and controls.

Subject Matter Expertise: Serve as a technical authority and mentor on application security, providing guidance to internal teams on selecting and integrating security solutions.

Incident Response & Infrastructure: Lead cybersecurity incident handling in production environments while enhancing cloud infrastructure security posture at scale.

Requirements:

• 3+ years of experience in security architecture, software development, or cloud security, including at least 1 year in a leadership or senior advisory role.
• Deep hands-on experience with secure coding, application architecture, security automation, and threat modeling, including the ability to train R&D teams in performing their own assessments.
• Strong proficiency in Google Cloud Platform (GCP) or other major public clouds, with a comprehensive understanding of cloud-native security services and principles.
• In-depth knowledge of OWASP Top 10, ASVS, and industry-standard secure software development frameworks.
• Solid understanding of networking fundamentals, including TCP/IP, firewalls, VPNs, and proxy servers.
• Proven ability to interpret and prioritize results from penetration testing and bug bounty programs; hands-on pentesting experience is a significant plus.
• Excellent verbal and written English skills, with the ability to convey complex security concepts to both technical and non-technical stakeholders.
• Ability to manage multiple parallel initiatives while providing consistent AppSec support and constructively challenging architectural assumptions across teams.

Advantages:

• Bachelor's degree in Computer Science, Information Security, or a related field.
• Professional security certifications such as CISSP, CISM, CCSP, or OSCP.
• Hands-on experience with Google Cloud Platform (GCP) security services and best practices.
• Experience with cloud security posture management and protection platforms like Wiz, Aqua, or similar tools.
• Strong knowledge of Kubernetes architecture, container security, and orchestration services.
• Hands-on experience integrating security tools into CI/CD pipelines and production environments (SAST, SCA, DAST, etc.).
• Experience within the fintech or financial services industry, as well as financial regulatory requirements and compliance standards, including PCI DSS, PSD2, and GDPR.

#LI-AK1