Senior Application Security Engineer

Who are Tide:

At Tide, we’re on a mission to save businesses time and money. We’re the leading provider of UK SME business accounts and one of the fastest-growing FinTechs in the UK. Using the latest tech, we design solutions with SMEs in mind and our member-driven financial platform is  transforming the business banking market. Not only do we offer our members business accounts and related banking services, but also a comprehensive set of highly connected admin tools for businesses. 

Tide is about doing what you love. We’re looking for someone to join us on our exciting scale up journey and be a part of something special. We are wanting passionate Tideans to drive innovation and help build a best-in-class platform to support our members. You will be comfortable in ambiguous situations and will be able to navigate the evolving FinTech environment. Imagine shaping how millions of Tide members discover and engage with business banking platforms and building this on a global scale.

What we’re looking for:

• You will have at least 5 years experience working as part of a modern application security team.
• You will have run threat modelling sessions with engineers and be keen to support them in identifying security risks in their applications. You will be expert at explaining those security risks to engineers, and helping them understand the best way to mitigate any threats.
• You will know the limitations of a fully automated DevSecOps approach but will also know that implementing security tools in CI/CD pipelines is vital in supporting a large engineering community. You will also be able to get “hands on” and make any required changes in GitHub Actions or similar.
• You will be able to communicate with product owners and VP’s to help them clearly understand the level of risk involved in a security defect, even if the technical details are not fully within their grasp.
• You will be familiar with both OWASP ASVS and OWASP SAMM but also be pragmatic in their application.
• You will know how important it is to educate engineers on security best practice and that this is the best way to create an engineering function who are also empowered with security.
• You will understand a bug bounty program can be an integral part of assuring the the companies products are free of security defects.
• You will have a strong aversion to saying “No” and will instead want to support engineers in delivering secure products that delight our members.

As a Senior Application Security Engineer you’ll be:

• Building security into our CI\CD pipeline
• Owning and defining Tide’s threat modelling methodology, and embedding this across Tide’s engineering community
• Liaising with finders on Tide’s bug bounty program and helping decide a suitable reward for anything identified as in scope
• Performing application security design evaluations and code reviews, and providing subject matter expertise around these topics
• Owning and nurturing the relationship between Information Security and Engineering, and developing good working practices between the two teams
• Improving Tide’s engineering standards in line with industry best practices by embedding a secure by default approach into all stages of the development lifecycle
• Evaluating, implementing and managing 3rd party application security tools that complement Tide’s existing technology stack
• Developing a repository of tailored application security training content for consumption by Tide’s engineering community
• Balancing information security risk with product feature advancement, and incorporating the use of best-practice risk management methodology within the development process

What makes you a great fit: 

• You have experience using SemGrep or CodeQL to find security defects
• You have aligned applications with ASVS or MASVS maturity levels
• You have software engineering experience in an agile environment
• You are able to intuitively find flaws in software and can effectively communicate how to fix them
• You have the ability to think like an attacker and use that context to develop threat models
• You can enable other engineering teams to find flaws before they are introduced into production
• You have technical knowledge in one of the following: cloud security, web application security, mobile security
• You have knowledge of secure coding and best practices
• You have a hands-on attitude and the ability to drive solutions to completion
• You have experience with OWASP frameworks, static & dynamic analysis, and common exploitation methods
• You may have knowledge of OWASP SAMM
• You may have experience working within the Fintech sector
• You may have worked within a fast scaling business

What you’ll get in return: 

Make work, work for you! We are embracing new ways of working and support flexible working arrangements. With our Working Out of Office (WOO) policy our colleagues can work remotely from home or anywhere in their home country. Additionally, you can work from a different country for 90 days of the year. Plus, you’ll get:

• Competitive salary
• Self & Family Health Insurance
• Term & Life Insurance
• OPD Benefits
• Mental wellbeing through Plumm
• Learning & Development Budget
• WFH Setup allowance
• 15 days of Privilege leaves
• 12 days of Casual leaves
• 12 days of Sick leaves
• 3 paid days off for volunteering or L&D activities

Tidean Ways of Working 

At Tide, we’re Member First and Data Driven, but above all, we’re One Team. Our Working Out of Office (WOO) policy allows you to work from anywhere in the world for up to 90 days a year. We are remote first, but when you do want to meet new people, collaborate with your team or simply hang out with your colleagues, our offices are always available and equipped to the highest standard. We offer flexible working hours and trust our employees to do their work well, at times that suit them and their team.

Tide is a place for everyone

At Tide, we believe that we can only succeed if we let our differences enrich our culture. Our Tideans come from a variety of backgrounds and experience levels. We consider everyone irrespective of their ethnicity, religion, sexual orientation, gender identity, family or parental status, national origin, veteran, neurodiversity status or disability status. We believe it’s what makes us awesome at solving problems! We are One Team and foster a transparent and inclusive environment, where everyone’s voice is heard.

#LI-NN1 #LI-Remote