Sr. Application Security Engineer
Do you want to be part of an innovator that is changing the e-commerce landscape and reinventing the way global merchants and issuers combat fraud through collaboration? If you’re excited by shattering expectations and making a contribution that will turn stale thinking into breakthrough ideas, Ethoca - A Mastercard Company is the place for you. We welcome the challengers and thought leaders. We want the agile, creative risk-takers who can address challenges with an open mind, the freedom to innovate and the strength to dominate. Ethoca - A Mastercard Company’s growth is explosive, and only great problem-solvers, collaborators and thinkers can help us take it to the next level. If that sounds like you, keep reading.
Before Ethoca, everyday merchants and issuers would identify thousands of confirmed or suspected fraudulent transactions in isolation. They had no way of bridging this costly – and completely avoidable – divide. When Ethoca introduced Ethoca Alerts in 2010, it revolutionized the industry’s approach to fighting e-commerce fraud. Ethoca Alerts closes the information gap between card issuers and merchants, giving merchants unprecedented direct access to issuers’ cardholder-confirmed fraud intelligence. As part of Ethoca’s collaboration-based network, for the first-time merchant businesses have a window of opportunity to act on fraud that has already been confirmed by Ethoca’s global network of card issuers.
Ethoca was founded in 2005, with headquarters in Toronto, and offices in Austin, London, Dublin and Frankfurt.
To support our continued growth and success, we are seeking a Sr. Application Security Engineer. You are an experienced technical professional who is a coder at heart with a passion for Security. You will be part of our Security team, reporting into our Director of Information Security, providing specialized knowledge and acting as liaison with Product Development teams to continually improve the security posture of Ethoca’s platform and advance our agenda to introduce security requirements early in the software development life cycle.
- Drive adoption of security best practices and frameworks within Product Development
- Assist during secure code reviews
- Contribute to the development of in-house software libraries that provide/encapsulate security services
- Coordinate and manage application penetration tests and vulnerability assessments
- Enhance the Security Culture at Ethoca through active participation in security group initiatives
- Vet security courses in our e-learning platform for our developers
- Continually address and reduce knowledge gaps between Security and Development
- Work efficiently and with exceptional attention to detail within an organization driven by leading requirements for security and compliance (PCI Level 1, SOC2, etc.)
Required Skills and Experience:
- Degree in Computer Science, Engineering or equivalent relevant experience
- Excellent communication skills, both written and verbal
- Strong knowledge of Java programming and its frameworks (e.g. OpenJDK, Spring, Maven)
- Proficiency in OWASP Top 10
- Experience with cryptographic APIs (e.g. JCE) and an understanding of PKI principles
- Strong knowledge of authentication protocols (e.g. OAuth, SAML, OIDC)
- Capacity to articulate risk exposure based on security vulnerabilities (e.g. CVSS)
- Experience with SCA/SAST/DAST tools (e.g. OWASP Dependency-Check, SpotBugs, OWASP ZAP Proxy, SonarQube)
- Knowledge of legacy Enterprise Java tooling such as EJB, WebSphere, Hibernate, etc.
- Good knowledge of Linux systems, TCP/IP networking and SQL
- Experience working with software automation pipelines (e.g. Jenkins, GitLab)
- Breadth of general technical knowledge and experience
- Aptitude and willingness to improve skillset through continuing education on an ongoing basis
- Advanced knowledge of security capabilities and constraints related to native Azure and AWS services, including relevant practical experience
- Good understanding of continuous delivery/continuous integration processes that follow Secure by Design principles
- Good understanding of firewalls, threat prevention and detection, and application security principles
- Good understanding of conceptual and applied cryptography and Public Key Infrastructures (PKI)
- Good understanding of identity management, user authentication and authorization principles
- Demonstrated technical competency in security engineering based on hands-on experience or relevant qualifications
Nice to have:
- Relevant Security certifications (e.g. CSSLP preferred, CEH, CompTIA Security+, OSCP, CISSP, CCSK)
- Experience in applying threat modeling techniques (e.g. STRIDE, Synopsys, PASTA)
- Past experience performing penetration tests and/or vulnerability assessments
- Exposure to Agile Scrum development environments
- Understanding of microservices architecture
- Experience working in a cross functional team
- Knowledge in workflow platforms (e.g. Jira)
- Experience working in a financial institution or other regulated environment (e.g. PCI-DSS, SOC2, Sarbanes-Oxley)
- Knowledge in mobile security concepts (e.g. Android and iOS)
Please forward your resume and a covering letter to firstname.lastname@example.org with “Senior Application Security Engineer” in the subject line. We will only be contacting those individuals who we believe are the best potential fit with our requirements.
At Ethoca - A Mastercard Company, we welcome job applications from qualified individuals without regard to race, color, religion, sex, national origin, age, disability, ancestry, family care status, veteran status, marital status, or any other lawfully protected status in every jurisdiction in which we operate. We are committed to a diverse workforce that provides fair and equal opportunity for all employees and candidates.