Application Security Engineer

Remote Full-time
The Role
You'll own application security across our mobile banking platform, payments stack, and a growing set of regulated products. The work is hands-on, you’ll conduct a threat modeling, security reviews, CI/CD tooling - with real process ownership. You'll report to the Group CISO and work closely with both our engineering teams and the Bank IS function.

Justification

As Salmon expands its product lineup like cards, payments, ATM network - the need for a dedicated Application Security function has become critical. Currently there is no specialist owning secure development practices, mobile security testing, or supply chain risk.
This role fills gap: ensuring internal systems and customer data are protected, embedding security into the product delivery process, and building the AppSec practices needed to meet regulatory expectations and support secure growth.

Responsibilities

Risk-driven security ownership
Identify which systems, data flows, and product changes carry the highest real-world risk and build your work around that, not around tool coverage or compliance checklists

Decide when a security gate is worth slowing down a release and when it isn't, own that call, and be able to explain it to engineering and the CISO

Maintain a risk register for application-layer exposures: what's open, what's accepted, what's being fixed, and why in that order

Secure SDLC
Figure out where in our delivery process security decisions are actually being made and put controls there

Run threat modeling for high-stakes product changes before design is locked, not after

Build a mobile security testing baseline that the team runs themselves

CI/CD and supply chain
Assess what the current pipeline actually catches versus what it produces as noise, and fix the ratio before adding more scanners

Own supply chain posture: dependency pinning, SBOM, internal registry, and the response process when a package gets compromised

Own secrets detection and remediation end-to-end

Regulatory and cross-team work
Translate application security gaps into language that satisfies BSP examiners without over-engineering the evidence

Coordinate security input into new product launches across our Group and Bank structure


Requirements

Experience
7+ years in application security, with meaningful ownership over both technical work and process

Has built or substantially improved a secure SDLC in a fast-moving product org

Has run threat modeling on real product features and influenced design decisions as a result

Has owned vulnerability management end-to-end: triage, remediation tracking, SLA management, risk acceptance

Has done hands-on mobile security testing (iOS and/or Android) in a production context, not just UAT

Understands modern supply chain attack vectors like compromised packages (npm, PyPI), malicious IDE plugins, typosquatting, dependency confusion - and knows how to reduce exposure at the tooling and process level

Comfortable writing Python or Bash to automate repetitive security work

Technical skills
SAST, DAST, SCA in CI/CD pipelines: knows how to tune for signal, not just coverage

API security: authentication flows, token handling, common abuse patterns

Mobile security: OWASP ASVS/MASVS applied in practice

Supply chain: SBOM generation and dependency risk management

Secrets management: detection, remediation, and structural prevention

Working knowledge of AWS and containers sufficient to understand where application risks extend into infrastructure

Nice to have
Experience in a regulated environment (financial services or similar)

Familiarity with PCI-DSS, ISO 27001, or BSP MORB

Certifications: OSCP, GWEB, GWAPT, CSSLP

Communication
Strong written English; most day-to-day alignment is async

Can explain a security issue clearly to an engineer and summarize the same issue for a non-technical stakeholder
Apply Now →

Similar Jobs

Experienced Registered Behavior Technician for In-Home ABA Therapy - Atlanta, GA

Remote

Immediate Hiring: Experienced Registered Behavioral Technician (RBT) for Clinic-Based ABA Therapy Services

Remote

Experienced Registered Behavioral Technician (RBT) - ABA Therapy for Children with Autism Spectrum Disorder

Remote

Experienced Registered Nurse - Telehealth: Providing Remote Care Coordination and Patient Support

Remote

Experienced Substitute Teacher for Riverside County Schools - Join Scoot Education's Innovative Team

Remote

Experienced Substitute Teacher for San Bernardino County - Flexible Schedules & Competitive Pay

Remote

Experienced School Year Instructional Coach for High-Dosage Tutoring Programs in Edgewater Park, NJ

Remote

Experienced School Year Tutor for K-8 Students in Math and Literacy - Mickleton, NJ

Remote

Experienced Secondary Social Studies Teacher for Kansas - Flexible Hybrid Remote Arrangement

Remote

USPS Office Helper

Remote

Experienced Customer Support Team Lead – Food and Beverage Operations at careerzynith

Remote

Director of Client Experience - Indeed Hire Enterprise - Remote

Remote

AI Process Optimization Lead

Remote

Director, Account Management and Health Information Technology Training- Vaccines

Remote

**Virtual Specialist, Data Entry / Part Time**

Remote

Experienced Customer Service Associate – Delivering Exceptional Experiences at careerzynith

Remote

Creative Director - Copy (Remote)

Remote

Remote Monitoring Analyst - Renewables / IPP Projects

Remote

US – Financial Crime Data Analyst (SQL & Large Data Sets)

Remote

**Remote Data Entry Specialist – Work From Home Position | arenaflex**

Remote
← Back