Application Security Engineer GTP

Job Title - Application Security Engineer
About TazapayTazapay is a cross border payment service provider. They offer local collections via local payment methods, virtual accounts and cards in over 70 markets. The merchant does not need to create local entities anywhere and Tazapay offers the additional compliance framework to take care of local regulations and requirements. This results in decreased transaction costs, fx transparency and higher auth rates.They are licensed and backed by leading investors. www.tazapay.com
What's exciting waiting for you?This is an amazing opportunity for you to join a fantastic crew before the rocket ship launch. It will be a story you will carry with you through your life and have the unique experience of building something ground up and have the satisfaction of seeing your product being used and paid for by thousands of customers. You will be a part of a growth story in securing critical financial applications that handle cross-border payments.We believe in a culture of openness, innovation & great memories together.
About the Application Security Engineer RoleAs an Application Security Engineer, you will be responsible for ensuring the security of our payment applications throughout their entire development lifecycle. You will work closely with development teams to identify, assess, and remediate security vulnerabilities in web applications, mobile apps, and APIs that process sensitive financial data across 70+ markets.
Key Responsibilities
Application Security Assessment & TestingConduct comprehensive security assessments of microservices-based applications built with GoLang, Java, or ScalaPerform security reviews of Vue.js and ReactJS frontend applications and their interaction with backend servicesExecute manual and automated web application penetration testing using industry-standard methodologies (OWASP Testing Guide, PTES)Conduct vulnerability scoring and risk assessment using CVSS framework and custom business impact metricsUtilize govulncheck for Go-specific vulnerability detection and dependency analysis in GoLang microservicesDeploy Semgrep/OpenGrep for static code analysis across multiple programming languages and frameworksIntegrate Gitleaks for automated secret detection and credential scanning in source code repositoriesExecute static application security testing (SAST) and dynamic application security testing (DAST) across the entire stackConduct penetration testing and vulnerability assessments on payment processing applications and microservicesPerform web application penetration testing including authentication bypass, authorization flaws, injection attacks, and business logic vulnerabilitiesReview and analyze code for security vulnerabilities with focus on microservices communication patterns and frontend securityAssess API gateways, service meshes, and inter-service authentication mechanismsImplement and maintain automated security testing tools in CI/CD pipelines for both frontend and backend componentsSecure Development Lifecycle (SDLC)

• Integrate security practices into the software development lifecycle
• Collaborate with development teams to implement secure coding practices
• Conduct security architecture reviews and threat modeling sessions
• Provide security requirements and guidelines for new application features
• Establish and maintain application security standards and best practices

Vulnerability Management

• Identify, prioritize, and track application security vulnerabilities across multiple technologies
• Implement comprehensive vulnerability scoring using CVSS v3.1, OWASP Risk Rating, and custom business impact assessments
• Develop risk scoring matrices that incorporate technical severity, business impact, and exploitability factors
• Utilize govulncheck for proactive Go vulnerability management and dependency tracking
• Deploy Gitleaks for continuous secret detection and credential exposure prevention
• Implement Semgrep/OpenGrep for custom vulnerability pattern detection and policy violations
• Create detailed penetration testing reports with executive summaries, technical findings, and remediation roadmaps
• Establish vulnerability SLA metrics and track remediation timelines based on risk scores
• Work with development teams to remediate identified security issues
• Maintain vulnerability management processes and ensure timely resolution
• Perform risk assessments and provide recommendations for vulnerability mitigation
• Monitor and respond to emerging application security threats
• Create and maintain security metrics and KPIs for vulnerability remediation

Security Tools & Automation

• Implement and manage application security scanning tools (SAST, DAST, IAST)
• Deploy govulncheck for continuous Go vulnerability monitoring in GoLang microservices
• Integrate Gitleaks for automated secret scanning across development workflows and CI/CD pipelines
• Configure Semgrep/OpenGrep rules for custom security pattern detection and policy enforcement
• Develop and maintain security automation scripts and tools
• Integrate security tools into development workflows and CI/CD pipelines
• Evaluate and recommend new application security technologies and solutions
• Create custom security rules and policies for language-specific vulnerabilities
• Automate security testing for containerized applications and microservices

Compliance & Documentation

• Ensure applications comply with financial industry regulations (PCI DSS, PSD2, etc.)
• Maintain security documentation, procedures, and incident response plans
• Support compliance audits and security assessments
• Create and deliver application security training for development teams

Required QualificationsExperience

• 4+ years of experience in application security, with focus on web and mobile applications
• Strong experience securing microservices architectures, particularly those built with GoLang, Java, or Scala
• Hands-on experience with frontend security for modern JavaScript frameworks (Vue.js, ReactJS)
• Extensive experience in web application penetration testing including OWASP Top 10, business logic flaws, and authentication/authorization bypasses
• Proven expertise in vulnerability scoring and risk assessment using CVSS, OWASP Risk Rating, and custom scoring methodologies
• Proven experience with security automation tools: govulncheck (Go vulnerability scanning), Gitleaks (secret detection), Semgrep/OpenGrep (static analysis)
• Experience with application security testing tools (Burp Suite, OWASP ZAP, Veracode, Checkmarx, etc.)
• Hands-on experience with penetration testing and vulnerability assessment
• Experience with secure code review and static/dynamic analysis tools
• Knowledge of common web application vulnerabilities (OWASP Top 10) and microservices-specific security challenges

Technical Skills

• Proficiency in backend programming languages with strong focus on GoLang, Java, or Scala for microservices architecture
• Experience with frontend frameworks, particularly Vue.js and ReactJS for modern web applications
• Advanced proficiency with security tools: govulncheck (Go-specific vulnerability detection), Gitleaks (credential scanning), Semgrep/OpenGrep (multi-language static analysis)
• Expert-level web application penetration testing skills using tools like Burp Suite Professional, OWASP ZAP, Nuclei, and custom exploitation frameworks
• Comprehensive knowledge of vulnerability scoring frameworks including CVSS v3.1, OWASP Risk Rating Methodology, and FAIR (Factor Analysis of Information Risk)
• Experience with automated penetration testing tools and frameworks for continuous security validation
• Strong understanding of microservices security patterns and inter-service communication
• Experience with API security testing and assessment (REST, GraphQL, gRPC)
• Knowledge of mobile application security (iOS/Android)
• Familiarity with cloud security (AWS, Azure, GCP)
• Understanding of database security and secure data handling
• Experience with containerized applications and orchestration platforms

Security Knowledge

• Deep understanding of application security principles and best practices
• Expert knowledge of web application penetration testing methodologies (OWASP Testing Guide, PTES, NIST SP 800-115)
• Advanced understanding of vulnerability scoring and risk quantification using industry-standard frameworks
• Knowledge of security frameworks and standards (OWASP, NIST, ISO 27001)
• Experience with threat modeling and risk assessment methodologies
• Understanding of cryptography and secure communication protocols
• Knowledge of authentication and authorization mechanisms
• Expertise in manual testing techniques for complex business logic vulnerabilities
• Experience with penetration testing reporting and executive communication of security risks

Nice to HaveCertifications

• Relevant security certifications (CISSP, CEH, CSSLP, GWEB, OSCP)
• Cloud security certifications (AWS Security, Azure Security)

Additional Skills

• Experience with DevSecOps practices and tools
• Advanced proficiency in securing distributed microservices ecosystems
• Experience with modern frontend build tools and security (Webpack, Vite, npm/yarn security)
• Expertise in Go ecosystem security including govulncheck integration and dependency management
• Advanced configuration and customization of Semgrep/OpenGrep rules for organization-specific security policies
• Experience with Gitleaks integration across multiple Git workflows and CI/CD platforms
• Advanced web application penetration testing including thick client applications and complex multi-tier architectures
• Experience with custom exploit development and proof-of-concept creation for business logic vulnerabilities
• Expertise in creating comprehensive risk scoring models that align technical findings with business impact
• Knowledge of container security (Docker, Kubernetes)
• Experience with financial services and payment processing security
• Familiarity with regulatory compliance (PCI DSS, GDPR, PSD2)
• Experience with bug bounty programs and responsible disclosure
• Knowledge of machine learning/AI security
• Experience with service mesh security (Istio, Linkerd) and API gateway security

Key Abilities and TraitsTechnical Excellence: Demonstrated ability to identify and remediate complex application security vulnerabilities across diverse technology stacks.Collaboration: Strong ability to work effectively with development teams, translating security requirements into actionable development practices.Communication: Excellent verbal and written communication skills, capable of explaining security concepts to both technical and business stakeholders.Problem-Solving: Strong analytical and problem-solving skills with the ability to think like both a defender and an attacker.Continuous Learning: Commitment to staying current with emerging application security threats, tools, and best practices.Detail-Oriented: Meticulous attention to detail when reviewing code and assessing application security.Project Management: Ability to manage multiple security assessments and projects simultaneously while meeting deadlines.