Senior Application Security Engineer

About The Position

Requirements

• 5–7 years of experience in a security engineering or application security role, ideally within a fintech or high-growth startup environment
• Strong communication skills — able to translate technical risk clearly for both engineering audiences and senior leadership
• Hands-on SAST/DAST experience; familiarity with tools such as Semgrep, Snyk, Checkmarx, Burp Suite Pro, or equivalents
• Demonstrated ability to independently work security incidents end-to-end — including malware, phishing, DLP events, and API abuse
• Experience securing cloud-native environments, including IAM, container/Kubernetes workloads, and serverless functions
• Solid working knowledge of API security standards (OWASP API Top 10, OAuth 2.0/OIDC, JWT hardening)
• Strong ethics and discretion — this role regularly handles confidential and sensitive information
• Familiarity with AI/LLM security risks and emerging standards (OWASP LLM Top 10, MITRE ATLAS) — including prompt injection, data leakage through model outputs, and supply chain risks introduced by third-party AI services

Nice To Haves

• Experience with mobile application security testing (iOS/Android) is a plus
• Familiarity with security frameworks including SOC 2, PCI-DSS, NIST CSF, and OWASP SAMM
• Scripting proficiency in Python and/or Bash for automation and tooling; experience with security orchestration platforms (e.g., Tines, XSOAR, Torq) is a plus
• Security certifications a plus (OSCP, GWEB, CISSP, SANS GWAPT, etc.)

Responsibilities

• Embed security into the SDLC by partnering with Engineering to implement secure design patterns, conduct threat modeling, and deliver developer-focused AppSec training
• Lead and perform application security assessments including SAST, DAST, SCA, and manual code review across web, mobile, and API surfaces
• Drive API security across internal and external services — including authentication, authorization, rate limiting, and abuse prevention controls
• Own and mature the vulnerability management program, including prioritization frameworks, SLA tracking, and cross-functional remediation coordination
• Champion software supply chain security initiatives, including SBOM generation, dependency risk analysis, and third-party component vetting
• Assist GRC with technical third-party risk reviews and vendor security assessments
• Respond to and lead security incidents in a measured, programmatic, and timely manner — from identification through post-incident review
• Implement and iterate on security automation and orchestration to improve detection, response, and coverage at scale
• Implement, monitor, and continuously improve security controls across cloud infrastructure, endpoints, and the product
• Assess and mitigate AI-specific security risks across Branch's use of LLMs and AI-powered features, including prompt injection, model abuse, and insecure output handling

Benefits

• Market-leading medical, dental, and vision insurance
• Stock options
• Free Premium-Tier Origin Financial Wellness subscription
• Monthly home-office stipend
• 401k (TransAmerica)
• 12-weeks paid parental leave for birthing and non-birthing parents
• Flexible time off + sick and safe time
• 11 paid company holidays