Senior Cloud & Application Security Engineer

We are seeking an experienced Senior Security Engineer to join our dynamic Security Team. In this key role, you will be a key contributor to Funding Circle's cloud and application security posture. You will leverage your deep expertise in AWS security, secure software development lifecycle (SSDLC) practices, and CI/CD security to implement and champion robust security solutions. You will act as a subject matter expert and mentor, collaborating closely with engineering and product teams to embed security seamlessly into our cloud infrastructure and development processes, ensuring the protection of our platform and customer data in a fast-paced FinTech environment.

The role:

• Define, champion, and embed secure software development lifecycle (SSDLC) practices and secure coding standards across engineering teams through collaboration, training, and tooling.
• Architect, build, and maintain automated security controls, tooling, and "security rails" within CI/CD pipelines to ensure secure and efficient deployments.
• Collaborate closely with Cloud Platform Engineers, DevX and Product Engineering to ensure security requirements are integrated into system designs and technology choices from the outset.
• Perform threat modelling exercises for cloud-native applications, microservices, and infrastructure components.
• Manage internal and external penetration testing engagements for Funding Circle applications, services, and cloud infrastructure.
• Oversee and enhance vulnerability management processes, focusing on strategic remediation, root cause analysis, and preventative measures.
• Contribute to drive implementation of security automation across cloud infrastructure configuration, vulnerability management, and compliance monitoring.
• Design, implement, and support the adoption of robust security architectures, controls, and best practices within our AWS cloud environment.
• Act as a subject matter expert on cloud security (AWS), DevSecOps, and application security, providing guidance and mentorship to other engineers.
• Contribute to the incident response planning for complex cloud and application security events.
• Proactively monitor the threat landscape, evaluate emerging cloud security risks and trends, and translate them into actionable security improvements.

What we’re looking for:

• Significant (3+ years) hands-on experience in Information Security, with a demonstrable deep focus on AWS cloud security and application/product security.
• Deep, demonstrable expertise in designing, implementing, securing, and managing a wide range of AWS security services.
• Proven, hands-on experience architecting, building, and integrating security tooling (SAST, DAST, SCA, secrets management, IAST) and automated security controls within CI/CD pipelines (e.g., GitLab CI, Jenkins, GitHub Actions).
• Strong track record of defining, implementing, measuring, and supporting the adoption of secure software development lifecycle (SSDLC) practices and secure coding standards within engineering organizations.
• Strong understanding of web application security vulnerabilities (OWASP Top 10 and beyond), attack vectors, and mitigation techniques.
• Significant experience securing Infrastructure as Code (IaC), particularly Terraform, and implementing relevant security checks.
• Solid experience with container security and securing container orchestration platforms (Kubernetes/EKS).
• Proven ability contributing significantly to vulnerability management programs, including advanced triaging, root cause analysis, risk assessment, and strategic remediation planning.
• Strong communication and influencing skills, with the ability to articulate complex security concepts clearly to technical audiences.
• Strong knowledge of relevant security frameworks and standards (e.g., NIST CSF, CIS Benchmarks, OWASP ASVS).
• Exposure and knowledge of the MITRE ATT&CK framework.
• Experience effectively coordinating external penetration testing engagements and managing remediation efforts.

Nice to have:

• Relevant advanced security certifications (e.g., AWS Certified Security - Specialty, CISSP, CCSP, OSCP/OSWE).
• Experience with specific security platforms/tools (e.g., Wiz, Snyk, Checkmarx, Veracode).
• Proficiency in security automation using scripting languages (e.g., Python).
• Experience working in FinTech or other highly regulated environments.
• Experience with mobile application security principles and testing.

At Funding Circle we are committed to building diverse teams so please apply even if your past experience doesn’t align perfectly with the requirements.