Application Security Engineer - Pennylane

Job Title: Application Security Engineer
Job Location: All France (remote)
Job Listing URL: https://jobs.lever.co/pennylane/d43afc5a-984f-408b-8c94-3f598aa48d3f
Job Description: Are you looking to have an impact on the daily life of millions of entrepreneurs in France (and tomorrow in Europe)?
Are you looking for a work environment that values trust, proactivity, and autonomy?
Are our Engineering principles aligned with your vision?
Then Pennylane is the right place for you !

Our vision
We aim to become the most beloved financial Operating System of French SMEs and Accounting Firms (and soon, European ones).
We help entrepreneurs rid themselves of time-consuming tasks related to accounting and finance while providing them with access to key financial information to assist in making the best decisions for their business.

About us
Pennylane is one of the fastest growing Fintechs in France (and soon to be in Europe!)

In 4 years of existence, we’ve managed to :
💻 Make ourselves known as a groundbreaking accounting and financial software for small businesses and their accountants
💰 Raise a total of €225 millions, including from Sequoia, the famous fund from the Silicon Valley who invested early in companies like Google, Facebook, Airbnb, Stripe, Paypal and much more...
👨‍👩‍👧‍👦 Grow from 7 cofounders to 650+ happy Pennylaners : we’re now recognized as one of the greatest places to work in France (and also remotely), with a 4.6/5 rating on Glassdoor.
🌍 Build an international environment with more than 25 nationalities, with a strong remote-friendly culture, where 30% of the employees are already working from all parts of Europe
🤝 Earn the trust of thousands of customers and accounting firms and obtain outstanding ratings
🚀 Already more than 350,000 small and medium-sized enterprises (SMEs) and over 4,500 accounting firms use Pennylane in France!

WHY this position is of utmost importance to reach our mission

We are looking for an Application Security Engineer to join Romain and Sylvain within the security technical team, managed by Louis. Under the direction of Guillaume, our Head of Information and Security, the team handles all technical topics related to security.

In collaboration with the compliance team, you will provide your technical expertise in defining and overseeing key projects aimed at sustainably enhancing the security of our assets. You will play a key role in advising, training, and being the security reference for all employees — especially developers.

The daily management of technical operations related to ISO 27001 certification will also be part of your responsibilities.
The security technical team is involved from identifying and detecting security issues to resolving them, including the development and implementation of patches. When needs are significant or patches are complex, the security team collaborates with developers, especially Security Champions, to strengthen the effectiveness of interactions.

🎯 Your tasks

You will be primarily involved in the following: -
- All technical security topics while providing technical support for compliance needs.

Let's break it down:
- Participate in the internal Security By Design process: assess the security impact of new features from their design stage and ensure the integration of the right security mechanisms until deployment;
- Ensure the security of the main Web application in Ruby on Rails and React: covering its dependencies, code, infrastructure, and configuration;
- Maintain the security and ongoing security compliance of other applications and the AWS infrastructure, particularly its Kubernetes environment (AWS EKS);
- Conduct regular audits (internal or by an external firm) on applications (code reviews/pentests/bug bounty programs) and infrastructure;
- Ensure compliance with ISO 27001 controls (processes) related to development (mandatory coding practices, validation, updates, vulnerability management, etc.), both through developer training, project monitoring (tech, product), regular internal audits, and management of tech non-conformities;
- Perform code reviews from a security perspective for developers (about 80 production releases per day, not all of which have security implications, but it's an important and recurring aspect);
- Build/Improve training materials for secure development and lead regular training sessions for developers;
- Strengthen our detection and response capabilities for security incidents by proposing appropriate solutions against threats, whether they are technical or fraud-related;
- Contribute to bids and proposals to explain our security policies and provide the necessary technical details.
These tasks are not exhaustive and are subject to change.

🥇You’re the right candidate if

You have an experienced/senior profile in application security (defensive or offensive), learn quickly, and have a broad interest in all things related to security. We work on a wide range of security topics (application, Cloud infrastructure, security by design, training, ISO 27001, etc.).

Working in an English-speaking environment doesn’t scare you. You don’t need to be bilingual, but you must be able to communicate clearly both orally and in writing, and understand what is being said. If you need support with this, we’ll immediately provide you with a Busuu subscription to improve your English.

Ideally, you possess the following qualities, skills, and experience:
- Able to conduct offensive security audits on an infrastructure or application;
- You are proficient in exploiting and fixing Web vulnerabilities, including most of them (not just the OWASP Top 10);
- You have experience with a programming language (Ruby, Python, JavaScript), whether for writing “quick and dirty” scripts to exploit a vulnerability or as part of larger projects;
- You have experience with Cloud infrastructure security;
- You can simplify technical language to help integrate security measures into projects or to communicate messages to all Pennylaners
- You are autonomous, proactive, and organized;
- Working with remote colleagues is not a problem for you.

Bonus: If you have experience developing in Ruby or React and/or hold certifications in application security.A versatile profile will be preferred.

What does the recruitment process look like ?

- You will first have a general chat with Maxime (Technical Recruiter) : 30 min
- Next, you will meet your future team — Louis and Romain/Sylvain — for a first discussion to quickly go over and explore the technical challenge (30 minutes).
- You will then complete the technical challenge on your own within 48 hours. After submitting your work, you will discuss the exercise with Louis, Romain, and Sylvain (1 hour).
- Then, you will meet Guillaume, our Head of Information and Security (40 minutes).
-Finally, you will have a last "culture fit" interview with one of our co-founders (30 minutes).

We make sure we move fast ; you can expect the recruitment process with us to last between 15 and 25 days in total.

Encouraging diversity in all its forms, Pennylane strives to offer an inclusive, caring and fulfilling work environment in our offices and remotely. We provide equal opportunities and consideration regardless of background, origin, gender, religion, sexual orientation or handicap.

View Job Listing

Everything You Need, One Platform.

From job listings to startups, investors to funding rounds, and everything in between, Employbl puts the power in your hands. Why wait?

Start your free trial today!

Stay Ahead of the Curve

Sign up for our newsletter to stay informed about the latest startups and trends in the tech market. Let Employbl be your guide to success.