Application Security Engineer

Summary

Join OnePay, a consumer financial services app, as an Application Security Engineer to safeguard our platform and protect customer transactions. You will design secure AWS architectures, embed automated threat detection, and ensure compliance with rigorous standards (PCI, CCPA, GLBA). This pivotal role involves architecting secure AWS configurations, embedding security into CI/CD pipelines, securing container and orchestration environments, conducting threat modeling, performing secure code reviews, automating security tasks, building AppSec automation frameworks, partnering with security teams, developing AppSec standards, supporting regulatory assessments, and translating technical findings to non-technical stakeholders. OnePay offers a unique opportunity to build a category-defining business with the backing of Walmart and Ribbit Capital. We are deeply embedded with the distribution of the world’s largest omnichannel retailer and have an industry-leading multi-product value proposition.

Requirements

• 8–12 years’ experience in application security engineering, DevSecOps, or security platform engineering
• Deep familiarity with CVSS, MITRE ATT&CK frameworks, OWASP Top 10 and CWE taxonomy
• Proven experience with AWS core services: IAM, KMS, VPC, EC2, RDS, EKS
• Hands-on expertise in securing IaC and CI/CD pipelines; strong knowledge of policy-as-code tooling
• Container security experience: Docker, Kubernetes, EKS-related threat surfaces
• Solid threat modeling and secure code review skills; SAST/SCA tool proficiency
• Experience scripting automation (e.g. Python, Bash, PowerShell) to streamline AppSec tasks
• Capability to lead in-house AppSec frameworks or tooling development
• Strong communicator, able to translate technical findings to non-technical stakeholders
• Track record of defining and institutionalizing security architecture patterns

Responsibilities

• Architect and implement secure AWS configurations (IAM roles/policies, encryption keys, VPC segmentation)
• Embed security into CI/CD pipelines and repos using policy-as-code tools (pre-commit hooks, SAST/SCA, IDE tool integrations)
• Secure container and orchestration environments (EKS, Kubernetes, Docker) per best practices
• Conduct threat modeling sessions and risk‑driven design reviews early in development
• Perform secure code reviews and static/dynamic analysis; oversee remediation with dev teams
• Automate repetitive security tasks—vulnerability triage, code scanning, tool orchestration
• Build and extend in-house AppSec automation frameworks or pentest tooling
• Partner with security architecture and detection teams (SIEM tuning, logging, telemetry alignment)
• Develop and enforce AppSec standards and patterns across product teams; iterate through feedback loops
• Support regulatory or compliance assessments (PCI, CCPA, GLBA) as needed