Application Security Engineer

Application Security Engineer \- Manchester Based (3 Days Hybrid)

About Finova

Finova is the UK’s largest financial services technology provider, supporting one in every five mortgages nationwide. Our agile, cloud\-native solutions enable over 60 banks, building societies, specialist lenders, equity release providers and a network of 2,400\+ brokers to stay ahead in a competitive market.

Built on open architecture and backed by deep industry expertise, our platform is designed to scale. Each year, we process over £50 billion in loans, manage nearly £50 billion in savings, and support the digital servicing of more than 650,000 UK borrower accounts.

Be part of a team that’s driving innovation, enabling growth and shaping the future of UK lending.

For Lenders

Finova offers a flexible, modular technology suite designed to help lenders move faster, scale efficiently and deliver standout digital experiences.

Financial Institutions use Finova to launch products faster, process applications up to 50% more efficiently and reduce operational costs — all while staying fully compliant in a fast\-moving market.

About the Role:

Finova is seeking a hands\-on Application Security Engineer to embed security into the design, build, and shipment of software across a multi\-cloud SaaS fintech platform.

• Core Responsibility: Partner closely with developers, the IAM Specialist, and the Cloud Security Engineer to ensure identity, infrastructure, and code are defended together.


• The Stack: Multi\-cloud environment spanning AWS, Azure, and GCP. Applications run on .NET / ASP.NET with SQL Server backends.


• Key Challenge: Protect regulated financial data while defending a growing portfolio of AI\-powered features against a new class of application risks (e.g., prompt injection, model abuse, and training data leakage).


• Work Model: A highly collaborative, hands\-on hybrid role focused on making secure\-by\-default the path of least resistance for engineering teams.

• Experience: 4–6 years in application security, product security, or security\-focused software engineering within regulated environments.


• Framework Expertise: Strong working knowledge of .NET / ASP.NET application security (Claims\-based identity, ASP.NET Core authorization, data protection APIs).


• Security Models: Deep, practical familiarity with the OWASP Top 10, OWASP ASVS, and hands\-on experience leading threat modelling sessions (STRIDE/attack trees).


• CI/CD Pipeline Skills: Experience integrating and tuning security tools (SAST, SCA, DAST) within Azure DevOps, GitHub Actions, or similar pipelines.


• Code Review: Confident reading and reviewing C\# code to find authorization flaws, deserialization issues, or tenant isolation gaps during PRs.


• Core Fundamentals: Solid understanding of cryptographic primitives, API security at scale (OAuth 2\.0 / OIDC, JWT pitfalls), and SaaS multi\-tenancy data exposure risks.


• Consultative Delivery: Experience working as a delivery engineer or consultant, shipping security work into messy, deadline\-driven customer environments.


• Communication: Clear communicator who can effectively coach a junior engineer, debate with a senior engineer, and explain critical risks to non\-technical executives.

• Fintech Background: Experience working in fintech, payments, banking, or insurance environments.


• AI Security: Hands\-on experience securing AI/LLM features, prompt injection defense, and familiarity with OWASP LLM Top 10 or MITRE ATLAS.


• Offensive Security: An offensive security background (OSCP, OSWE, or equivalent) or experience with bug bounty program design.


• Certifications: CSSLP, GWAPT, GWEB, CISSP, or vendor\-specific cloud security certifications.


• Database Security: Experience identifying SQL Server\-specific application risks, including ORM misuse and stored procedure vulnerabilities.


• Community Contributions: Contributions to open\-source security tooling, CVE research, or published security writing.

You are a security champion who bridges the gap between deep technical code and fast\-moving software delivery. You don't view security as a roadblock, but rather as an engineering discipline dedicated to making the secure path the easiest path for developers.

Key Attributes:

• The Collaborative Builder: You thrive in shared\-accountability environments, working alongside infrastructure and identity specialists to build multi\-layered defenses.


• Pragmatic and Ruthless: You believe in tuning tools to protect developer workflows from noise, ensuring that every alert is a high\-signal, high\-trust finding.


• Curious and Adaptive: You are energized by new technical frontiers, eagerly translating the emerging risks of AI endpoints and LLMs into practical engineering guardrails.


• Resilient Communicator: You are comfortable operating in the realities of regulated environments, translating complex vulnerabilities into business context for leadership while remaining a trusted peer to developers.

Secure SDLC \& Shift\-Left Automation

• Toolchain Ownership: Own the application security toolchain end\-to\-end (SAST, SCA, DAST, secrets, container, and IaC scanning) integrated into Azure DevOps and GitHub Actions.


• Scanner Optimization: Tune scanners ruthlessly to maximize high\-signal findings and eliminate noise so engineers trust the alerts.


• Early Detection: Build and maintain pre\-commit and pull\-request security checks to catch issues before code is merged.


• Vulnerability Management: Drive CVSS\-based SLAs, automated tracking, and exception workflows for application\-layer issues across product teams.


• Coding Standards: Define and evolve secure coding standards for .NET / ASP.NET (input validation, cryptography, logging, and authorization patterns).

• Active Threat Modelling: Lead threat modelling sessions for new features using STRIDE or attack trees, turning outputs into tracked work items.


• Design Architecture: Review Architectural Decision Records (ADRs), API designs, and data flow diagrams before code gets written.


• Developer Pairing: Provide hands\-on security guidance by pairing with developers on complex authorization logic, cryptographic choices, or tenant isolation.


• Pattern Catalogues: Maintain a living catalogue of approved secure patterns and anti\-patterns so teams can build securely at speed.

• Lifecycle Management: Own the remediation lifecycle for application findings discovered via internal testing, customer reports, bug bounties, and external pentests.


• Pentest Coordination: Scope and coordinate external penetration tests, select vendors, challenge false positives, and build remediation plans.


• Internal Testing: Conduct manual code reviews of high\-risk areas, dynamic testing of new features, and adversarial reviews of authorization logic.


• Purple\-Teaming: Build and run purple\-team exercises against internal applications to test detection and response capabilities alongside Security Operations.

• Access Validation: Partner with the IAM Specialist to ensure RBAC/ABAC implementations behave correctly, tenant context is mandatory, and defaults fail closed.


• ASP.NET Hardening: Review and harden authorization implementations (Claims, policies, attributes, custom middleware) and write unit/integration tests to prove isolation.


• Policy Design: Contribute to OPA / Rego policy design from the application side and integrate policy decision points into application code.


• Bug Hunting: Systematically hunt for high\-stakes authorization bugs like IDOR, BOLA, broken access control, and mass assignment.

• API Standards: Define and enforce standards for authentication (OAuth 2\.0, mTLS), rate limiting, and schema validation across REST, GraphQL, and gRPC.


• Gateway Hardening: Partner with the Cloud Security Engineer to harden API gateway configurations, request validations, and JWT validation rules.


• Layer\-7 Protections: Implement and monitor WAF rules, bot management, and anti\-automation controls without disrupting legitimate customer integrations.


• Inventory Tracking: Maintain a clear inventory of internal and external APIs, their classifications, and their security postures.

• AI Risk Leadership: Lead security thinking for AI features, defending against prompt injection, jailbreaks, model DoS, and inference data leakage.


• Adversarial Testing: Design and run security testing for LLM\-backed endpoints and feed findings back into prompt design and guardrails.


• Confused\-Deputy Prevention: Collaborate with IAM to ensure AI endpoints cannot be weaponized to bypass direct access limitations.


• Data Pipeline Security: Define secure\-use patterns for embeddings, vector databases, RAG pipelines, and feature stores to prevent tenant data leaks.


• Landscape Tracking: Translate evolving AI security frameworks (OWASP LLM Top 10, MITRE ATLAS) into practical engineering standards.

• Automated Evidence: Ensure application security controls satisfy SOC 2 Type II and PCI\-DSS requirements via automated pipeline collection.


• Audit Support: Support audits and customer assurance reviews by providing technical context and clear remediation narratives.


• Security Training: Run secure coding workshops, threat modelling enablement, and post\-incident learning sessions for engineers.


• Incident Response: Contribute to incident response for application\-security events through root\-cause analysis

This listing is from indeed. View original listing ↗