application security engineer
генерация резюме под вакансию
сопроводительное письмо
описание
Salmon Group Ltd operates a mobile banking platform, payment systems, and a range of regulated financial products. The organization focuses on securing customer data and internal systems while integrating security practices into product delivery to meet regulatory standards.
задачи
- Identify systems, data flows, and product changes with high real-world risk and prioritize work accordingly;
- Decide when security gates are necessary for releases and justify these decisions to engineering and the CISO;
- Maintain a risk register for application-layer exposures, tracking open issues, fixes, and risk acceptance;
- Integrate security controls into the delivery process;
- Conduct threat modeling for high-stakes product changes before design is finalized;
- Build a mobile security testing baseline for team execution;
- Assess and optimize CI/CD pipeline security tools to improve signal-to-noise ratios;
- Manage supply chain posture, including dependency pinning, SBOM, internal registries, and incident response for compromised packages;
- Manage secrets detection and remediation end-to-end;
- Translate security gaps into documentation for regulatory examiners;
- Coordinate security input for new product launches across the group and bank structure.
требования
- 7+ Years of experience in application security with ownership of technical work and processes;
- Proven experience building or improving secure SDLC in fast-moving product organizations;
- Experience running threat modeling on product features and influencing design decisions;
- Experience managing vulnerability lifecycles end-to-end, including triage, remediation, and risk acceptance;
- Hands-on experience with mobile security testing for iOS or Android in production;
- Understanding of modern supply chain attack vectors and methods to reduce exposure at the tooling and process level;
- Proficiency in Python or Bash for security automation;
- Knowledge of SAST, DAST, SCA, API security, OWASP ASVS/MASVS, and secrets management;
- Understanding of AWS and container security;
- Strong written English for async communication;
- Ability to explain security issues to both technical and non-technical stakeholders;
- Nice to have: Experience in regulated environments like financial services, familiarity with PCI-DSS, ISO 27001, or BSP MORB, and certifications such as OSCP, GWEB, GWAPT, or CSSLP.
условия
- No conditions specified
навыки
Если просят войти через iCloud, отправить коды из SMS, запустить код, что-то установить, перевести деньги или сделать что угодно, связанное с деньгами, не соглашайтесь: это признаки мошенничества.