Senior Application Security Engineer

Role Summary

Owns the application security architecture and DevSecOps strategy for the SCF platform. Responsible for threat modelling, security baseline definition, SAST/DAST programme governance, and ensuring zero critical vulnerabilities in production-bound releases. Acts as the security authority across all squads, engaged from the Discovery phase through to Extended Build completion.

Key Responsibilities

• Produce the security baseline and threat model for the SCF platform during Discovery phase
• Define and govern the application security architecture: OAuth2/OIDC, mTLS, RBAC, API security (WAF, rate limiting, schema validation), and secrets management
• Own the SAST programme (Snyk/Checkmarx) — configure scan policies, triage findings, and enforce remediation SLAs
• Own the DAST programme (OWASP ZAP) — define scan scope, review results, and track remediation
• Define security requirements for all integration touchpoints: Finastra Nexus, KYC/AML adapter, payment hub, ERP connectors
• Design SIEM integration hooks — define structured security event schema for authentication events, authorisation failures, anomaly detections, and audit log entries
• Conduct security design reviews for all 6 core microservices and portal applications
• Prepare penetration testing readiness artefacts and coordinate with Finastra's security team
• Ensure compliance with OWASP Top 10, SANS Top 25, and financial services security standards

Required Skills & Experience

• 8+ years in application/information security with 3+ years in a security architect role
• Deep expertise in application security: OAuth2/OIDC, mTLS, JWT, API security, and secrets management
• Hands-on experience with SAST tools (Snyk, Checkmarx, or Veracode) and DAST tools (OWASP ZAP, Burp Suite)
• Experience designing security architectures for microservices and API-first platforms
• Knowledge of SIEM integration patterns and security event schema design
• Familiarity with cloud security controls on AWS or Azure (IAM, Security Groups, KMS, GuardDuty)
• Understanding of financial services security and compliance requirements (PCI-DSS, ISO 27001, GDPR)

Nice to Have

• CISSP, CISM, or CEH certification
• Experience with HashiCorp Vault for secrets management
• Knowledge of security standards and threat models specific to banking or payments platforms
• Experience with penetration testing coordination in financial services environments