[Remote] Senior Application Security Engineer
Note: The job is a remote job and is open to candidates in USA. MoonPay is a unified payments platform for digital currency, aiming to onboard the world to the decentralized economy. The Senior Application Security Engineer will strengthen systems through security reviews, penetration testing, and managing the Bug Bounty program while collaborating with engineering teams to embed security best practices throughout the software development lifecycle.ResponsibilitiesConduct threat modelling reviews of Technical Design Documents (TDDs) for new and existing features, providing clear, actionable security recommendations early in the design processPerform and support application security assessments, including penetration testing, vulnerability assessments, and proof-of-concept (PoC) development where appropriateInvestigate, triage, and respond to Bug Bounty program submissions, validating findings and working with engineering teams to drive timely remediationOwn and continuously improve application-layer protections, including managing and tuning Cloudflare WAF and related security controlsPartner closely with engineering teams to embed security best practices throughout the SDLC, from design and development through deployment and maintenanceResearch and track emerging threats and vulnerabilities, translating findings into practical mitigation strategies relevant to our technology stackDevelop and deliver security guidance, training, and awareness for engineering teams to raise the overall security maturity of the organizationContribute to the creation, maintenance, and evolution of security standards, processes, and documentationParticipate in and eventually lead incident response activities, supporting investigation, containment, remediation, and post-incident improvementsSkillsYou have developed a breadth of experience across multiple security domains, including web and mobile application security, infrastructure and cloud security, and can connect these areas to drive a holistic security approachYou have hands-on experience performing white-box, source code-assisted web and mobile application penetration testing, from vulnerability discovery through triage and exploitationYou have the ability to read, understand, and review source code to identify security issues, with ideally, a particular focus on JavaScript and TypeScript codebasesYou have a strong understanding of Threat Modelling principles and their practical application to the secure software development lifecycle (SDLC)You have experience working with web application firewalls to help protect applications, assess coverage, and support tuning rules to mitigate common attack patternsYou have experience embedding application security practices into CI/CD pipelines, enabling early detection of vulnerabilities and close collaboration with engineering teams throughout the development lifecycleYou have collaborated closely with engineering teams to clearly communicate security findings, explain vulnerabilities, attack paths, and mitigations, and support the implementation of effective fixes for both technical and non-technical audiencesYou are self-motivated, proactive, and take strong ownership of your work, operating effectively in a remote environment while maintaining a collaborative, team-focused mindsetYou have experience in JavaScript and TypeScript, including the ability to read, understand, and reason about modern web application codebasesYou have experience working with Cloudflare, including its hosting and Web Application Firewall (WAF) capabilities, to help secure and operate internet-facing applicationsYou have experience testing and securing GraphQL, REST APIs, including understanding common GraphQL/REST-specific attack vectors and security considerationsYou have experience or a strong interest in Web3 security testing, including assessing smart contracts, blockchain-based applications, or Web3 integrationsYou have an interest in agentic engineering, including emerging patterns in autonomous systems, tooling, or workflows, and their security implicationsBenefitsCompetitive salary packageEquity package: We believe financial freedom starts with our employees, so all employees have ownership at MoonPayPay for performance equity bonus: Those who drive outsized outcomes receive outsized rewardsMoonshot award. We honor exceptional impact - 10 employees twice a year, each earning a $250,000 equity grant.Unlimited holidays: We give you the autonomy to choose when to work (and when to switch off)Hybrid working schedule: Work fully remotely or your nearest Moonbase, the choice is yoursPrivate Healthcare benefits: To protect you and your loved onesEnhanced parental leave: So you can spend more time with your loved ones without a second thoughtAnnual training budget: We support your training journey every step of the wayHome office setup allowance: Create the home office of your dreamsRemote working allowance: Those working fully remotely get a little extra for utilitiesMonthly budget to spend on our products and zero fee crypto transactions: Cultivate your inner DEGENEmployee referral programme: Great people know great people, refer them to receive 10K in USDCRegular remote company offsites: Meet your colleagues regularly for high impact in person sessions and hackathonsWorking in a disruptive and fast-growing company where excellence is rewardedCompany OverviewMoonPay is a fintech company providing payment infrastructure for converting fiat currencies into cryptocurrencies and NFTs. It was founded in 2019, and is headquartered in Dover, Delaware, USA, with a workforce of 201-500 employees. Its website is https://www.moonpay.com.Company H1B SponsorshipMoonPay has a track record of offering H1B sponsorships, with 1 in 2025, 1 in 2024, 2 in 2023, 6 in 2022. Please note that this does not guarantee sponsorship for this specific role.