Security Engineer, Application Security

Engineering at Brex

The Engineering team includes Data, IT, Security, and Software, and is responsible for building innovative products and infrastructure for Brex and our customers. We believe that engineers should accelerate the business through technology, and collaborate across multiple teams to accomplish that.

Teams are autonomous, filled with inclusive individuals, eager to learn, teach, constantly improve how things work. The software we build today is the foundation for dozens of Brex systems in the future, so engineers have a strong sense of ownership and accountability and take pride in their craft.

What you’ll do

As an Application Security Engineer, you will focus on finding and responding to security vulnerabilities across the Brex platform. In this role, you will perform code reviews, design reviews, penetration testing, and bug bounty management. You will also develop tooling to perform static and dynamic testing of the Brex platform.   

We’re looking for individuals with a strong background and interest in penetration testing. You should have a demonstrated ability to find vulnerabilities and write exploits. 

Within this role, you will work with every engineering team at Brex. You should be enthusiastic about working with a variety of backgrounds, roles, and needs across Brex. Building a world-class financial service requires world-class security.

Application Security is part of our wider Trust organization, which means you will also have the opportunity to work closely with other security teams, such as Infrastructure Security, Detection and Response, and GRC. 

Responsibilities

• Perform penetration testing and design reviews, looking for vulnerabilities and insecure designs. Work with engineering and product teams to design secure product features
• Articulate the risk of specific vulnerabilities and determine prioritization efforts
• Build internal tools to help automate security efforts and perform SAST and DAST testing of the platform
• Help manage our third-party bug bounty program. Triage issues, respond to researchers, and track reported vulnerabilities.

Requirements

• 3+ years work experience in an Application Security role
• Ability to find vulnerabilities in complex systems
• Perform a wide range of SDL activities, including threat modeling, developer education, and incident response
• Knowledge of Python and scripting languages to automate tasks and build tools
• You thrive in a collaborative environment filled with a diverse group of people with different expertise and backgrounds. We currently have around 30 nationalities represented with more than ½ the company working in a country different from the one they grew up in)

Bonus points

• Proficiency with Kotlin, gRPC and GraphQL
• Previous experience as a Software engineer
• Consultancy experience performing Application Security reviews
• Experience with securing distributed systems in AWS and cloud environments
• Contributions to the wider technical community (open source, public research, mentorship, community organizing, blogging, presentations, etc)
• Experience submitting to Bug Bounty programs

Compensation:

The expected salary range for this role is 220,000 - 275,0000 CAD.  However, the starting base pay will depend on a number of factors including the candidate’s location, skills, experience, market demands, and internal pay parity. Depending on the position offered, equity and other forms of compensation may be provided as part of a total compensation package.