Application Security Engineer

Summary

Join Pennylane, a rapidly growing Fintech company in France and Europe, as an Application Security Engineer. You will be part of the technical security team, reporting to the Head of Information Security. Your responsibilities will include ensuring the security of Pennylane's applications and infrastructure, conducting security assessments, and ensuring compliance with ISO 27001 standards. You will also be responsible for training developers on secure development practices and contributing to tenders by explaining Pennylane's security policies. This role is crucial for Pennylane's mission to become the most beloved financial operating system for European SMEs.

Requirements

• You are mid/senior level in defensive or offensive application security, are a quick learner and like to work on different projects
• As a security team member at Pennylane, you’ll work on all security topics (application, cloud infrastructure, security by design, training, ISO 27001, etc.)
• Working in an English-speaking environment doesn't scare you, you don't need to be bilingual
• You need to be able to share your ideas and thoughts well in spoken and written English and to understand what is being said
• Able to perform offensive security assessments on an infrastructure or an application
• You know how to exploit and fix a wide range of Web vulnerabilities (not just the OWASP top 10)
• You already have an experience in a programming language (Ruby, Python, JavaScript), either for quick and dirty scripting to exploit a vulnerability or for larger projects
• You have an experience in cloud infrastructure security
• You are able to popularize technical terms to facilitate the adoption of security measures within projects or to broadcast messages to Pennylaners
• You are autonomous, proactive and organized
• Working with remote colleagues is not an issue for you
• To speak English (level is assessed and appreciated according to the department you’re applying to)
• To be energized by an ever-shifting work environment
• To be highly collaborative (within your team or other stakeholders)
• Sufficiently experienced to prioritize business-led actions on your day to day activity
• If you’re hesitating, we encourage you to apply : who knows, it might be the start of a meaningful and long-lasting collaboration
• We also want to emphasize that we fully embrace diversity, equity and inclusion and that we’re doing our best to create a safe and inclusive environment
• We are committed to providing an equal employment opportunity regardless of gender, sexual orientation, origin, disabilities, or any other traits that make you who you are
• If anything, diversity makes us a more fun place to work at

Responsibilities

• You will be required to work on
• All technical security issues/projects while providing technical support on compliance needs
• Security by design within the projects by discussing with the teams to consider the security risks
• To be proactive in the security projects to be carried out, to define and to prioritize them
• Ensure the security of the main Web application in Ruby on Rails and React: its dependencies, its code, its infrastructure and its configuration
• Security and maintaining the security condition of other applications and AWS infrastructure, including its Kubernetes environment (AWS EKS)
• Conduct and perform regular security assessments (internally or by an external firm) on the applications (code reviews/pentests/bug bounty in particular) and the infrastructure
• Ensure compliance with ISO 27001 controls (processes) related to development (mandatory code practices, validation, patch management, vulnerability management, etc.) by training developers, monitoring projects (tech, product), conducting regular internal audits and managing tech non-conformities
• Conducting code reviews from a secure development point of view (about 80 releases per day, not all of which have security implications, but it is an important and recurring topic)
• Build/Improve secure development training materials and conduct regular training sessions with the developers
• Contribute to tenders to explain our security policies and provide the necessary technical details
• Learn about Rails and React to detect vulnerabilities during code reviews and implement associated patches
• Strengthen the current means of detecting malicious attempts

Preferred Qualifications

• Bonus: if you have already developed in Ruby or React and/or if you have technical application security certifications
• A multi-skilled profile will be preferred

Benefits

• If you need help with this, we can provide you with a Busuu subscription to improve your English immediately
• You’ll be able to work fully from your home or any co-working space in France, or from our wonderful office in the center of Paris
• You’ll have a compensation package
• You'll get company shares to enjoy a piece of the success story you're building with us
• You’ll get between 8 to 13 additional days off (to the 25 standard ones) to rest and do what you love each year
• You’ll have lunch credits (Swile card) to buy your favorite food every day
• You’ll have a great healthcare cover (Alan Blue) to take care of yourself and your family
• You’ll have a budget to turn your home into a more comfortable workspace, as well as a monthly allowance to work from a coworking space whenever you feel like it
• Through our partner Gymlib, you’ll have access to 8000 fitness spaces in Europe and more than 300 activities related to wellness
• You’ll have access to Busuu to perfect your english or your french
• You’ll get the latest Apple equipment
• You’ll be part of a vibrant social community : we do lots of sports together (Foot, running, climbing...), we love to hang out and have a drink together (thursday afterwork drinks on our rooftop is a usual thing. Twice-a-year we do company seminars, last time we went on a trip to Centerparcs and it was fabulous !)
• We're working on providing those last advantages to our people based outside of France as well, but it can be quite more complex depending on different countries
• You'll be able to work remotely from your country of residence, as long as it is in Europe and within a maximum time difference of two hours from the CET time zone
• Wherever you are based, you will get 25 vacations days paid by Pennylane
• You’ll have a competitive compensation package
• You'll get company shares to enjoy a piece of the success story you're building with us
• You’ll have a budget to turn your home into a more comfortable workspace, as well as a monthly allowance to work from a coworking space whenever you feel like it
• Through our partner Gymlib, you’ll have access to 8000 fitness spaces in Europe and more than 300 activities related to wellness
• You’ll have access to Busuu to perfect your English or your French
• You’ll get the latest Apple equipment
• We are committed to regularly coming together for company events such as Tech Days (which bring remote Pennylaners together every 3 months) or our annual company seminar, fostering significant moments of cohesion for everyone
• If you are based in France, you will have a French contract following French regulation on top of the additional perks : 6 to 12 RTT, 5 weeks PTOs, lunch credits (Swile), Alan Blue healthcare cover and regular events in cities where Pennylaners are mostly presents (Lyon, Bordeaux, Nantes…)
• We're working on providing those last advantages to our people based outside of France as well, but it can be quite more complex depending on different countries