Application Security Engineer 🌍

Pennylane is the first platform that combines business software for accountants and financial management tools for their clients. Pennylane centralizes in real time all the financial flows of companies and facilitates collaboration between managers and their accountants. Launched in 2020, Pennylane has more than 330 employees (more than 25 nationalities) and already supports more than 1000 accounting firms and 40 000 business owners.

👪 Team and environment
We are looking for an Application Security Engineer to join Romain in the technical security team. Reporting directly to Guillaume, our Head of Information Security, you will be responsible for all technical matters involving security issues. Working with the security compliance team, you may be required to provide technical support to the team in the definition and monitoring of long-term projects designed to strengthen the security of our assets in a sustainable manner. You will have a key role in advising, assisting, informing, training and alerting all employees (especially developers). You will also be responsible for the day-to-day management of technical operations in the context of ISO 27001 certification.
The technical security team is involved from the identification/detection of a security issue to its resolution (development and implementation of the security patches). If the needs or the complexity of the patch are too great, the security team can count on the support of the developers and in particular the Security Champions team to sustain the effort.

🎯 Your tasks
You will be required to work on: All technical security issues/projects while providing technical support on compliance needs
Let’s break it down:
- Security by design within the projects by discussing with the teams to consider the security risks- To be proactive in the security projects to be carried out, to define and to prioritize them- Ensure the security of the main Web application in Ruby on Rails and React: its dependencies, its code, its infrastructure and its configuration- Security and maintaining the security condition of other applications and AWS infrastructure, including its Kubernetes environment (AWS EKS)- Conduct and perform regular security assessments (internally or by an external firm) on the applications (code reviews/pentests/bug bounty in particular) and the infrastructure- Conducting code reviews from a secure development point of view (about 80 releases per day, not all of which have security implications, but it is an important and recurring topic)- Build/Improve secure development training materials and conduct regular training sessions with the developers- Contribute to tenders to explain our security policies and provide the necessary technical details- Learn about Rails and React to detect vulnerabilities during code reviews and implement associated patches- Strengthen the current means of detecting malicious attempts- These missions are not exhaustive and remain evolving.

🥇You’re the right candidate if
- You have just graduated or ideally have a first experience in defensive or offensive application security, are a quick learner and like to work on different projects. As a security team member at Pennylane, you’ll work on all security topics (application, cloud infrastructure, security by design, training, ISO 27001, etc.).- Working in an English-speaking environment doesn't scare you, you don't need to be bilingual. You need to be able to share your ideas and thoughts well in spoken and written English and to understand what is being said. If you need help with this, we can provide you with a Busuu subscription to improve your English immediately.- You ideally have the following skills/experience:- Able to perform offensive security assessments on an infrastructure or an application- You know how to exploit and fix a wide range of Web vulnerabilities (not just the OWASP top 10)- You already have experience in a programming language (Ruby, Python, JavaScript), either for quick and dirty scripting to exploit a vulnerability or for larger projects- You have experience in cloud infrastructure security- You are able to popularize technical terms to facilitate the adoption of security measures within projects or to broadcast messages to Pennylaners- You are autonomous, proactive and organized- Working with remote colleagues is not an issue for you
Bonus: if you have already developed in Ruby or React and/or if you have technical application security certifications.
A multi-skilled profile will be preferred.

✨ Our vision
- We aim to become the most beloved financial Operating System of European SMEs.- We help business owners get rid of the time consuming hassle of handling accounting and finance, while giving them access to key information that they can use to make better decisions.- Meanwhile, we’re helping accountants. By using Pennylane, rather than doing manual and repetitive tasks, they can spend more time advising and guiding their clients.

🎁 Perks
🏢 You'll be able to work remotely from anywhere in Europe, as long as your contract allows you to🏡 You’ll have a budget to turn your home into a more comfortable workspace, as well as a monthly allowance to work from a coworking space whenever you feel like it📈 You'll get company shares to enjoy a piece of the success story you're building with us❤️‍🩹 A very complete mutual insurance (Alan) and a mental well-being application (AlanMind)⛹️ Through our partner Gymlib, you’ll have access to 8000 fitness spaces in Europe and more than 300 activities related to wellness🇬🇧 You’ll have access to Busuu to perfect your English or your French💻 You’ll get the latest Apple equipment👋🏻 You’ll be integrated through a dedicated onboarding week of newcomers🎉 You’ll be part of a vibrant social community: we do lots of sports together (soccer, running, climbing, etc.), we love to hang out and have a drink together (Thursday afterwork drinks on our rooftop is a usual thing. We regularly meet every 2 to 3 months during tech days and do company seminars. Last time, we went on a trip to the French Alps and to French Provence which were fabulous!)

💬 What does the recruitment process look like ?
- You will first have a general chat with a Talent Acquisition Manager (30min)- Then you’ll meet Romain - Application Security Engineer, a first introduction meeting where you’ll also discover the technical challenge (15/20min)- You carry out independently the technical challenge for the next 48h- Then, you’ll discuss about your solutions with Romain and Guillaume - Head of Information Security (45min)- Finally, a last culture fit meeting with one of our co-founders (30min)
We make sure we move fast; you can expect the recruitment process with us to last between 15 and 25 days in total.