Senior Application Security Engineer

About The Position

Requirements

• Ability to perform offensive security assessments on infrastructure and applications.
• Knowledge of how to exploit and fix a wide range of Web vulnerabilities and explain them to non-technical individuals.
• Experience in a programming language (Ruby, Python, JavaScript) for scripting or larger projects.
• Experience in cloud infrastructure security.
• Ability to popularize technical terms to facilitate the adoption of security measures and broadcast messages.
• Fluency in French and/or English (oral and written).
• Humility.
• Team player, comfortable working with remote colleagues.
• Proactive and organized.
• Quick learner, enjoys working on diverse projects (application security, cloud infrastructure, training, ISO 27001).
• Speak English (level assessed and appreciated according to the department).
• Energized by an ever-shifting work environment.
• Highly collaborative (within team or with other stakeholders).
• Sufficiently experienced to prioritize business-led actions in daily activities.

Responsibilities

• Ensure the security of Pennylane’s application and infrastructure through security by design principles.
• Collaborate with the Product Team to integrate security into features from the design phase through delivery.
• Maintain the security of the main Web application (Ruby on Rails and ReactJS), including its dependencies, code, infrastructure, and configuration.
• Conduct code reviews from a secure development perspective, given approximately 80 releases per day.
• Detect vulnerabilities and propose appropriate patches.
• Enhance the security level of the CI/CD configuration.
• Work with the DevOps team to secure the AWS infrastructure, including the Kubernetes environment (AWS EKS).
• Conduct and perform regular security assessments (code reviews, pentests, bug bounty, infrastructure assessments) internally or with external consulting companies.
• Strengthen existing methods for detecting malicious attempts.
• Participate in all security incidents, investigate logs, block attacks, and propose corrective actions to prevent future threats.
• Ensure compliance with ISO 27001 controls related to development (code practices, validation, patch management, vulnerability management).
• Train developers, monitor projects (tech, product), conduct internal audits, and manage technical non-conformities.
• Build/Improve secure development training materials and conduct regular training sessions for developers.
• Engage developers in the Security Champions program.
• Improve security awareness throughout the company.
• Contribute to tenders by explaining security policies and providing necessary technical details.

Benefits

• 25 vacation days paid by Pennylane.
• Competitive compensation package.
• Company shares.
• Budget for home office setup.
• Monthly allowance to work from a coworking space.
• Access to 8000 fitness spaces in Europe and over 300 wellness activities through Gymlib.
• Latest Apple equipment.
• Remote work option from European countries within a two-hour time difference of CET.
• Regular company events (Tech Days, annual seminar).
• French contract with 6 to 12 RTT, 5 weeks PTOs, lunch credits (Swile), Alan Blue healthcare cover, and regular events in French cities (for those based in France).
• Commitment to providing similar advantages to people based outside of France.