Overview
Senior Application Security Engineer role at Rain. This position focuses on secure software development, cloud-native defense, and improving Rain's application and platform security posture. You will partner with engineering squads and collaborate with Cloud Security and GRC teams to advance security in the SDLC.
Responsibilities
* Collaborate with development squads to validate vulnerabilities and provide actionable remediation guidance aligned with business risk.
* Drive threat modeling sessions (e.g., STRIDE, PASTA) for critical systems and APIs.
* Design, implement, and oversee automated processes for securely updating application and code dependencies, proactively mitigating issues and ensuring timely vulnerability remediation.
* Integrate security checks into CI/CD pipelines (SAST, DAST, SCA, IaC), using tools such as Semgrep, Snyk, Trivy, and Burp Suite.
* Contribute to runtime security initiatives (e.g., container/Kubernetes hardening, RASP, and eBPF-based detection).
* Build and maintain a security issues dashboard to track remediation status and metrics.
* Provide real-time support during cybersecurity incidents impacting applications or cloud infrastructure (exploited vulnerability, credential stuffing, web/API attacks).
* Partner with the Cloud Security team on security automation tasks and monitoring improvements (e.g., Security Hub automations, DLP monitoring).
* Conduct proactive research on new threats, vulnerabilities, and attack techniques relevant to Rain's architecture.
* Collaborate with the GRC team to develop and deliver internal security awareness initiatives, phishing campaigns, and developer training (e.g., secure coding, API security).
* Participate in the continuous improvement of AppSec maturity (e.g., alignment with OWASP SAMM, ISO 27001, or SOC 2 frameworks).
Required Qualifications
* Fluent English, including strong verbal and written skills.
* Strong problem-solving and analytical mindset.
* Excellent communication skills to convey security risks to technical and non-technical stakeholders.
* 3–5+ years of experience in application security, penetration testing roles, and/or secure code development, including work with QA teams.
* Hands-on experience with SAST, DAST, and SCA tools (e.g., Semgrep, Burp, Snyk).
* Deep understanding of web, mobile, and API vulnerabilities (OWASP Top 10, API Top 10, MITRE CWE).
* Proven expertise in performing code reviews or security assessments and writing clear reports.
* Proficiency in at least one backend language (e.g., Go, Python, Node.js) and understanding of React/React Native front-ends.
* Familiarity with secure architecture of microservices, event-driven systems, and REST APIs using OAuth2/OpenID Connect.
* Experience securing CI/CD pipelines and integrating AppSec tooling into the SDLC.
* Solid knowledge of containerization and Kubernetes security fundamentals.
* Understanding of cloud security (preferably AWS), including IAM principles, cloud-native service configurations, and network segmentation.
* Comfortable with Agile development methodologies and cross-functional squads.
* Software supply chain security (e.g., SBOM, artifact signing).
Preferred Qualifications
* Certifications such as OSCP, OSWE, GWAPT, CPTE, or CSSLP.
* AWS, GCP, or Azure Security Specialty certification.
* Familiarity with bug bounty triage and vulnerability management platforms (e.g., DefectDojo).
* Experience implementing RASP or eBPF runtime protection tools.
* Exposure to LLM/AI security considerations and secure code generation practices.
* Familiarity with logging and monitoring tools (e.g., CloudWatch, Datadog, Grafana).
Who We Are
Rain is a fast-growing earned wage access (EWA) fintech in the U.S., serving 3.5 million employees and backed by top investors like QED and Prosus. We have raised nearly $400M in funding—including the largest Series A in fintech history—and recently closed our Series B to accelerate growth. Rain is committed to Equal Employment Opportunity and does not discriminate on race, religion, color, national origin, ethnicity, gender, sex (including pregnancy), protected veteran status, age, disability, sexual orientation, gender identity, gender expression, or any unlawful criterion under applicable laws. If you need assistance or accommodation due to a disability, you may contact us at ******.
Seniority level
* Mid-Senior level
Employment type
* Full-time
Job function
* Information Technology
#J-18808-Ljbffr