Application Security Engineer/Lead

As the Application Security Engineer\Lead, you will serve as the primary authority for ensuring the security, resilience, and integrity of our digital financial services, mobile platforms, and crypto systems. Reporting directly to the Head of Security, you will champion secure software development lifecycle (SSDLC) practices, scale our threat modeling capabilities, and manage security testing programs. You will be responsible for aligning our application defense with the OWASP framework and managing external penetration testing in accordance with CREST standards.

Key Responsibilities

• AppSec Program Leadership: Define and implement the enterprise Application Security strategy, ensuring secure coding practices are embedded across all engineering teams.
• Standardize application security testing, code reviews, and vulnerability management around OWASP Top 10, OWASP ASVS (Application Security Verification Standard), and SAMM (Software Assurance Maturity Model).
• Vulnerability & DevSecOps Management: Oversee the implementation and optimization of SAST, DAST, SCA, and IAST tools within CI/CD pipelines, triaging findings and guiding engineers on remediation. Automate SAST/DAST/SCA testing directly in developer workflows.
• Threat Modeling: Lead architecture review and conduct threat modeling exercises during early product design phases using frameworks like STRIDE, and champion secure coding standards across the engineering ecosystem.
• CREST-Aligned Penetration Testing: Manage the scoping, execution, and remediation tracking of external penetration tests, ensuring all third-party vendors and methodologies adhere strictly to CREST accreditation guidelines.
• Developer Enablement: Design and deliver continuous secure code training programs and champion a network of "Security Champions" within product engineering teams

Requirements

• Experience: 8+ years of dedicated experience in information security, with at least 3+ years specifically leading application security or product security functions within fintech, digital banking, or e-commerce ecosystem.
• Technical Proficiency: Strong background in software development (e.g., Java, Python, Go, Node.js) and a deep understanding of cloud-native architectures (AWS/GCP, Kubernetes, Docker).
• Mobile & Tooling Expertise: Deep technical knowledge of mobile app vulnerabilities (reverse engineering, certificate pinning, secure storage) and extensive hands-on experience managing security tooling native to GitHub, GitLab and Bitbucket.Proficiency in SAST/DAST/SCA tools such as Chekcmarx, Semgrep, Snyk, Burp Suite Professional, and SonarQube.
• OWASP Mastery: Proven track record of applying OWASP standards to web, mobile, and API layers to systematically reduce application vulnerabilities.
• CREST/Testing Expertise: Clear understanding of CREST penetration testing standards; experience managing or executing CREST-accredited technical security assessments.
• Certifications: Possession of CREST certifications (e.g., CREST Registered/Certified Application Security Analyst) or equivalent expert-level practical certifications (e.g., OSCP, OSWE, CSSLP) is highly preferred.
• Communication: Exceptional capability to articulate complex software vulnerabilities as business risks to product owners and provide actionable technical fixes to engineers.

Benefits

Join us as we make magic happen to increase Indonesia’s financial inclusion!