Application Security Engineer

As an Application Security Engineer youll help drive Concora Credits Mission to enable customers to Do More with Credit every single day.

The impact youll have at Concora Credit:

We are seeking a highly skilled Application Security Engineer to strengthen our application and product security posture across web mobile and cloud-based platforms. The ideal candidate will have deep hands-on experience in secure application development practices threat modeling and vulnerability management with a proven track record of sustained collaboration and communication with development teams and supporting security programs within the financial services industry and PCI DSS compliance environments. The candidates success will be dependent on their ability to Integrate with multiple teams and be a collaborative and guiding presence.

We hire people not positions. Thats because at Concora Credit we put people first including our customers partners and Team Members. Concora Credit is guided by a single purpose: to help non-prime customers do more with credit. Today we have helped millions of customers access credit. Our industry leadership resilience and willingness to adapt ensure we can help our partners responsibly say yes to millions more. As a company grounded in entrepreneurship were looking to expand our team and are looking for people who foster innovation strive to make an impact and want to Do More! Were an established company with over 20 years of experience but now were taking things to the next level. Were seeking someone who wants to impact the business and play a pivotal role in leading the charge for change.

As our Application Security Engineer you will:

• Collaborate daily with development and project teams assisting developers and architects to ensure compliance with established security standards and secure design principles.
• Identify prioritize and mitigate vulnerabilities based on OWASP Top 10 SANS CWE Top 25 and industry best practices.
• Lead application security assessments and reviews for web mobile and API-based systems throughout the SDLC.
• Collaborate with internal DevOps and other Dev teams to integrate manage and report on automated vulnerability scanning SAST DAST and SCA platforms both as stand-alone tools and within CI/CD pipelines.
• Partner with DevOps and engineering teams to embed security controls early in the development process (shift left).
• Conduct secure code reviews and support developers in understanding and remediating findings.
• Conduct and coordinate penetration tests for internal systems and web and mobile applications to validate vulnerability findings and assess real-world exploitability.
• Champion secure coding practices and deliver targeted security training and awareness to engineering teams.
• Perform threat modeling and risk assessments for new applications and system changes.
• Support and maintain PCI DSS compliance as it relates to application security and data protection.
• Collaborate with infrastructure and cloud security teams to ensure consistent protection across the technology stack.
• Contribute to continuous improvement of the organizations secure SDLC and AppSec frameworks.

These duties must be performed with or without reasonable accommodation.

We know experience comes in many forms and that many skills are transferable. If your experience is close to what were looking for consider applying. Diversity has made us the entrepreneurial and innovative company that we are today.

Requirements:

• 3-5 years of experience in Application Security Secure Software Development or related fields.
• Solid understanding of OWASP Top 10 secure coding standards vulnerability management penetration testing methodologies and common web/mobile vulnerabilities.
• Hands-on experience with security testing tools (e.g. Sonarqube Tenable WAS Burp Suite OWASP ZAP Veracode or similar).
• Experience integrating AppSec tools into DevOps pipelines (Azure DevOps Git etc.).
• Experience performing or managing web application penetration tests using tools such as Burp Suite OWASP ZAP or manual techniques aligned with OWASP Testing Guide.
• Strong familiarity with PCI DSS and other financial regulatory compliance frameworks.
• Practical knowledge of web technologies (REST JavaScript HTML5 CSS JSON) and at least one modern programming language (e.g. Java C# Python JavaScript Swift).
• Experience securing mobile applications (iOS and Android) through static and dynamic analysis.
• Excellent communication skills and ability to work cross-functionally with engineering and compliance teams.

Whats In It For You:

• Medical Dental and Vision insurance for you and your family
• Relax and recharge with Paid Time Off (PTO)
• 6 company-observed paid holidays plus 3 paid floating holidays
• 401k(after 90 days) plus employer match up to 4%
• Pet Insurance for your furry family members
• Wellness perks including onsite fitness equipment at both locations EAP and access to the Headspace App
• We invest in your future through Tuition Reimbursement
• Save on taxes with Flexible Spending Accounts
• Peace of mind with Life and AD&D Insurance
• Protect yourself with company-paid Long-Term Disability and voluntary Short-Term Disability

Concora Credit provides equal employment opportunities to all Team Members and applicants for employment and prohibits discrimination and harassment of any type without regard to race color religion age sex national origin disability status genetics protected veteran status sexual orientation gender identity or expression or any other characteristic protected by federal state or local laws.

Employment-based visa sponsorship is not available for this role.

Concora Credit is an equal opportunity employer (EEO).

Please see the Concora Credit Privacy Policy for more information on how Concora Credit processes your personal information during the recruitment process and if applicable based on your location how you can exercise your privacy rights. If you have questions about this privacy notice or need to contact us in connection with your personal data including any requests to exercise your legal rights referred to at the end of this notice please contact .