Security Engineer, Application Security
Posted on Feb 15, 2020 by Affirm, Inc.
pay later without any hidden fees or compounding interest.
Affirm values information security as a critical part of the company s
continued success. Our mission is to make information security programmatic and
cultural in Affirm, enabling the company to succeed in building honest
financial products. The Security team posture increases security and reduces
risk while securely enabling access to information for those who need it.
o Develop application security and product best practices to
standardize security practices.
o Provide security design review and code reviews to the organization
to ensure the product features meet security requirement and best
o Review, analyze, and evaluate both internally developed software
and vendor products and procedures to address security requirements
o Serve as subject matter expert for static and dynamic analysis
o Work with DevOps engineers to integrate static and dynamic analysis
security tools into CI/CD pipelines.
o Interpret security tools findings, 3rd penetration testing results,
and bug bounty program submissions.
o Provide vulnerability remediation guidance and mentoring to product
development software engineers.
o Develop company-wide security projects and processes to discover
security defects in source code, dependencies, and/or other
o Develop and improve documentations on security processes and
o Build metrics to track security defects and automate the collection
of security information to derive metrics.
o Enable automation of product security testing and find innovative
ways to scale the security team.
o Evaluation of new technologies, tools, and/or development
techniques that impact security.
o Team player, high work ethics, attention to details is a must.
o Ability to communicate effectively with business representatives in
explaining security topics clearly and where necessary, in layman's
o Experience with Cloud and virtualized technology in environments
such as AWS or GCP.
o Ability to efficiently communicated security to any audience, such
as explaining vulnerabilities and weaknesses in the OWASP Top 10,
WASC, and/or CWE 25 and discuss effective defensive techniques and
countermeasures to both business and engineering staff.
o Deep understanding of network protocols such as HTTP and SSL/TLS.
o Familiar with means to defend modern Web applications and
APIsFamiliarity with dynamic and static analysis tools and ability
to interpret dynamic/static analysis tools, and penetration test
results and describe issues and fixes to non-security experts.
o Familiarity with common reconnaissance, exploitation, and post-
o Deep understanding of continuous integration / continuous
deployment processes and tools.
o Ability to automate tasks using a scripting language (Python,
o Security certification such as CISSP, OSCP is a plus.
o BA/BS degree in a related field or equivalent experience is a plus.
At Affirm, "People Come First" is a core value and that s why diversity and
inclusion are vital to our priorities as an equal opportunity employer. You can
learn more about our D&I efforts here .
We also consider qualified applicants with arrest and conviction records for
positions in accordance with applicable laws, including the San Francisco Fair
By clicking "Apply for this job," I acknowledge that I have read the Affirm
use, and storage of my personal information as described therein.