Application Security Engineer – Manchester Based (3 Days Hybrid)
Finova is seeking a hands‑on Application Security Engineer to embed security into the design, build, and shipment of software across a multi‑cloud SaaS fintech platform.
About the Role
* Core Responsibility: Partner closely with developers, the IAM Specialist, and the Cloud Security Engineer to ensure identity, infrastructure, and code are defended together.
* The Stack: Multi‑cloud environment spanning AWS, Azure and GCP. Applications run on .NET / ASP.NET with SQL Server backends.
* Key Challenge: Protect regulated financial data while defending a growing portfolio of AI‑powered features against a new class of application risks (prompt injection, model abuse, and training data leakage).
* Work Model: Highly collaborative, hands‑on hybrid role focused on making secure‑by‑default the path of least resistance for engineering teams.
About You
* Experience: 4–6 years in application security, product security, or security‑focused software engineering within regulated environments.
* Framework Expertise: Strong working knowledge of .NET / ASP.NET application security (Claims‑based identity, ASP.NET Core authorization, data protection APIs).
* Security Models: Deep familiarity with OWASP Top 10, OWASP ASVS, and hands‑on experience leading threat modelling sessions (STRIDE/attack trees).
* CI/CD Pipeline Skills: Experience integrating and tuning security tools (SAST, SCA, DAST) within Azure DevOps, GitHub Actions or similar pipelines.
* Code Review: Confident reading and reviewing C# code to find authorization flaws, deserialization issues, or tenant isolation gaps during PRs.
* Core Fundamentals: Solid understanding of cryptographic primitives, API security at scale (OAuth 2.0 / OIDC, JWT pitfalls), and SaaS multi‑tenancy data exposure risks.
* Consultative Delivery: Experience working as a delivery engineer or consultant, shipping security work into messy, deadline‑driven customer environments.
* Communication: Clear communicator who can effectively coach a junior engineer, debate with a senior engineer, and explain critical risks to non‑technical executives.
Nice to Have
* Fintech Background: Experience working in fintech, payments, banking or insurance environments.
* AI Security: Hands‑on experience securing AI/LLM features, prompt injection defense, and familiarity with OWASP LLM Top 10 or MITRE ATLAS.
* Offensive Security: An offensive security background (OSCP, OSWE or equivalent) or experience with bug bounty program design.
* Certifications: CSSLP, GWAPT, GWEB, CISSP or vendor‑specific cloud security certifications.
* Database Security: Experience identifying SQL Server‑specific application risks, including ORM misuse and stored procedure vulnerabilities.
* Community Contributions: Contributions to open‑source security tooling, CVE research, or published security writing.
Key Attributes
* The Collaborative Builder: Thrive in shared‑accountability environments, working alongside infrastructure and identity specialists to build multi‑layered defenses.
* Pragmatic and Ruthless: Tune tools to protect developer workflows from noise, ensuring that every alert is a high‑signal, high‑trust finding.
* Curious and Adaptive: Energized by new technical frontiers, translating the emerging risks of AI endpoints and LLMs into practical engineering guardrails.
* Resilient Communicator: Comfortable operating in regulated environments, translating complex vulnerabilities into business context for leadership while remaining a trusted peer to developers.
What Will You Be Doing?
Secure SDLC & Shift‑Left Automation
* Toolchain Ownership: Own the application security toolchain end‑to‑end (SAST, SCA, DAST, secrets, container and IaC scanning) integrated into Azure DevOps and GitHub Actions.
* Scanner Optimization: Tune scanners to maximize high‑signal findings and eliminate noise so engineers trust the alerts.
* Early Detection: Build and maintain pre‑commit and pull‑request security checks to catch issues before code is merged.
* Vulnerability Management: Drive CVSS‑based SLAs, automated tracking and exception workflows for application‑layer issues across product teams.
* Coding Standards: Define and evolve secure coding standards for .NET / ASP.NET (input validation, cryptography, logging and authorization patterns).
Threat Modelling & Secure Design
* Active Threat Modelling: Lead threat modelling sessions for new features using STRIDE or attack trees, turning outputs into tracked work items.
* Design Architecture: Review Architectural Decision Records, API designs and data flow diagrams before code is written.
* Developer Pairing: Provide hands‑on security guidance by pairing with developers on complex authorization logic, cryptographic choices or tenant isolation.
* Pattern Catalogues: Maintain a living catalogue of approved secure patterns and anti‑patterns so teams can build securely at speed.
Vulnerability Management & Penetration Testing
* Lifecycle Management: Own the remediation lifecycle for application findings discovered via internal testing, customer reports, bug bounties and external pentests.
* Pentest Coordination: Scope and coordinate external penetration tests, select vendors, challenge false positives and build remediation plans.
* Internal Testing: Conduct manual code reviews of high‑risk areas, dynamic testing of new features and adversarial reviews of authorization logic.
* Purple‑Teaming: Build and run purple‑team exercises against internal applications to test detection and response capabilities alongside Security Operations.
Application‑Layer Authorization (in partnership with IAM)
* Access Validation: Partner with the IAM Specialist to ensure RBAC/ABAC implementations behave correctly, tenant context is mandatory and defaults fail closed.
* ASP.NET Hardening: Review and harden authorization implementations (Claims, policies, attributes, custom middleware) and write unit/integration tests to prove isolation.
* Policy Design: Contribute to OPA / Rego policy design from the application side and integrate policy decision points into application code.
* Bug Hunting: Systematically hunt for high‑stakes authorization bugs such as IDOR, BOLA, broken access control and mass assignment.
API & Service Security
* API Standards: Define and enforce standards for authentication (OAuth 2.0, mTLS), rate limiting and schema validation across REST, GraphQL and gRPC.
* Gateway Hardening: Partner with the Cloud Security Engineer to harden API gateway configurations, request validations and JWT validation rules.
* Layer‑7 Protections: Implement and monitor WAF rules, bot management and anti‑automation controls without disrupting legitimate customer integrations.
* Inventory Tracking: Maintain a clear inventory of internal and external APIs, their classifications and their security postures.
AI & ML Application Security
* AI Risk Leadership: Lead security thinking for AI features, defending against prompt injection, jailbreaks, model DoS and inference data leakage.
* Adversarial Testing: Design and run security testing for LLM‑backed endpoints and feed findings back into prompt design and guardrails.
* Confused‑Deputy Prevention: Collaborate with IAM to ensure AI endpoints cannot be weaponized to bypass direct access limitations.
* Data Pipeline Security: Define secure‑use patterns for embeddings, vector databases, RAG pipelines and feature stores to prevent tenant data leaks.
* Landscape Tracking: Translate evolving AI security frameworks (OWASP LLM Top 10, MITRE ATLAS) into practical engineering standards.
Compliance, Evidence & Engineering Enablement
* Automated Evidence: Ensure application security controls satisfy SOC 2 Type II and PCI‑DSS requirements via automated pipeline collection.
* Audit Support: Support audits and customer assurance reviews by providing technical context and clear remediation narratives.
* Security Training: Run secure coding workshops, threat modelling enablement, and post‑incident learning sessions for engineers.
* Incident Response: Contribute to incident response for application‑security events through root‑cause analysis and blameless post‑mortems.
What We Offer
* Hybrid working – work in the office with flexibility to work remotely as needed.
* Private medical insurance – comprehensive health cover with option to add family.
* Life assurance and income protection – peace of mind for the future.
* Family friendly policies – enhanced leave beyond maternity and paternity.
* Work from anywhere – approval to work abroad for up to 4 weeks each year.
* Flexible holiday package – 25 days paid holiday plus public holidays, with option to rebook or trade.
* Company pension scheme – salary exchange to save on tax and build a secure future.
* Employee assistance programme – confidential counselling helpline.
* Electric car scheme – brand‑new electric vehicle with salary sacrifice.
* Health cash plan – reimbursement for everyday healthcare costs.
* Gym discounts – savings on annual memberships at numerous gyms and leisure centres.
* Perks – fully stocked pantry, weekly socials and events.
Equal Opportunity Statement
We value diversity and are committed to creating an inclusive environment for all employees. If you are passionate about this role but don’t meet all the criteria, please reach out – we would love to discuss how your skills and experiences align with our needs.
#J-18808-Ljbffr