TelecommunicationsApplication Security Engineer
Back

Application Security Engineer

  • Finova Technologies Private Limited
  • Salford, Manchester
  • 16/06/2026
Full time Information Technology Telecommunications

Job Description

Application Security Engineer - Manchester Based (3 Days Hybrid) Finova is seeking a hands on Application Security Engineer to embed security into the design, build, and shipment of software across a multi cloud SaaS fintech platform.

About the Role
  • Core Responsibility: Partner closely with developers, the IAM Specialist, and the Cloud Security Engineer to ensure identity, infrastructure, and code are defended together.
  • The Stack: Multi cloud environment spanning AWS, Azure and GCP. Applications run on .NET / ASP.NET with SQL Server backends.
  • Key Challenge: Protect regulated financial data while defending a growing portfolio of AI powered features against a new class of application risks (prompt injection, model abuse, and training data leakage).
  • Work Model: Highly collaborative, hands on hybrid role focused on making secure by default the path of least resistance for engineering teams.
About You
  • Experience: 4-6 years in application security, product security, or security focused software engineering within regulated environments.
  • Framework Expertise: Strong working knowledge of .NET / ASP.NET application security (Claims based identity, ASP.NET Core authorization, data protection APIs).
  • Security Models: Deep familiarity with OWASP Top 10, OWASP ASVS, and hands on experience leading threat modelling sessions (STRIDE/attack trees).
  • CI/CD Pipeline Skills: Experience integrating and tuning security tools (SAST, SCA, DAST) within Azure DevOps, GitHub Actions or similar pipelines.
  • Code Review: Confident reading and reviewing C# code to find authorization flaws, deserialization issues, or tenant isolation gaps during PRs.
  • Core Fundamentals: Solid understanding of cryptographic primitives, API security at scale (OAuth 2.0 / OIDC, JWT pitfalls), and SaaS multi tenancy data exposure risks.
  • Consultative Delivery: Experience working as a delivery engineer or consultant, shipping security work into messy, deadline driven customer environments.
  • Communication: Clear communicator who can effectively coach a junior engineer, debate with a senior engineer, and explain critical risks to non technical executives.
Nice to Have
  • Fintech Background: Experience working in fintech, payments, banking or insurance environments.
  • AI Security: Hands on experience securing AI/LLM features, prompt injection defense, and familiarity with OWASP LLM Top 10 or MITRE ATLAS.
  • Offensive Security: An offensive security background (OSCP, OSWE or equivalent) or experience with bug bounty program design.
  • Certifications: CSSLP, GWAPT, GWEB, CISSP or vendor specific cloud security certifications.
  • Database Security: Experience identifying SQL Server specific application risks, including ORM misuse and stored procedure vulnerabilities.
  • Community Contributions: Contributions to open source security tooling, CVE research, or published security writing.
Key Attributes
  • The Collaborative Builder: Thrive in shared accountability environments, working alongside infrastructure and identity specialists to build multi layered defenses.
  • Pragmatic and Ruthless: Tune tools to protect developer workflows from noise, ensuring that every alert is a high signal, high trust finding.
  • Curious and Adaptive: Energized by new technical frontiers, translating the emerging risks of AI endpoints and LLMs into practical engineering guardrails.
  • Resilient Communicator: Comfortable operating in regulated environments, translating complex vulnerabilities into business context for leadership while remaining a trusted peer to developers.
What Will You Be Doing? Secure SDLC & Shift Left Automation
  • Toolchain Ownership: Own the application security toolchain end to end (SAST, SCA, DAST, secrets, container and IaC scanning) integrated into Azure DevOps and GitHub Actions.
  • Scanner Optimization: Tune scanners to maximize high signal findings and eliminate noise so engineers trust the alerts.
  • Early Detection: Build and maintain pre commit and pull request security checks to catch issues before code is merged.
  • Vulnerability Management: Drive CVSS based SLAs, automated tracking and exception workflows for application layer issues across product teams.
  • Coding Standards: Define and evolve secure coding standards for .NET / ASP.NET (input validation, cryptography, logging and authorization patterns).
Threat Modelling & Secure Design
  • Active Threat Modelling: Lead threat modelling sessions for new features using STRIDE or attack trees, turning outputs into tracked work items.
  • Design Architecture: Review Architectural Decision Records, API designs and data flow diagrams before code is written.
  • Developer Pairing: Provide hands on security guidance by pairing with developers on complex authorization logic, cryptographic choices or tenant isolation.
  • Pattern Catalogues: Maintain a living catalogue of approved secure patterns and anti patterns so teams can build securely at speed.
Vulnerability Management & Penetration Testing
  • Lifecycle Management: Own the remediation lifecycle for application findings discovered via internal testing, customer reports, bug bounties and external pentests.
  • Pentest Coordination: Scope and coordinate external penetration tests, select vendors, challenge false positives and build remediation plans.
  • Internal Testing: Conduct manual code reviews of high risk areas, dynamic testing of new features and adversarial reviews of authorization logic.
  • Purple Teaming: Build and run purple team exercises against internal applications to test detection and response capabilities alongside Security Operations.
Application Layer Authorization (in partnership with IAM)
  • Access Validation: Partner with the IAM Specialist to ensure RBAC/ABAC implementations behave correctly, tenant context is mandatory and defaults fail closed.
  • ASP.NET Hardening: Review and harden authorization implementations (Claims, policies, attributes, custom middleware) and write unit/integration tests to prove isolation.
  • Policy Design: Contribute to OPA / Rego policy design from the application side and integrate policy decision points into application code.
  • Bug Hunting: Systematically hunt for high stakes authorization bugs such as IDOR, BOLA, broken access control and mass assignment.
API & Service Security
  • API Standards: Define and enforce standards for authentication (OAuth 2.0, mTLS), rate limiting and schema validation across REST, GraphQL and gRPC.
  • Gateway Hardening: Partner with the Cloud Security Engineer to harden API gateway configurations, request validations and JWT validation rules.
  • Layer 7 Protections: Implement and monitor WAF rules, bot management and anti automation controls without disrupting legitimate customer integrations.
  • Inventory Tracking: Maintain a clear inventory of internal and external APIs, their classifications and their security postures.
AI & ML Application Security
  • AI Risk Leadership: Lead security thinking for AI features, defending against prompt injection, jailbreaks, model DoS and inference data leakage.
  • Adversarial Testing: Design and run security testing for LLM backed endpoints and feed findings back into prompt design and guardrails.
  • Confused Deputy Prevention: Collaborate with IAM to ensure AI endpoints cannot be weaponized to bypass direct access limitations.
  • Data Pipeline Security: Define secure use patterns for embeddings, vector databases, RAG pipelines and feature stores to prevent tenant data leaks.
  • Landscape Tracking: Translate evolving AI security frameworks (OWASP LLM Top 10, MITRE ATLAS) into practical engineering standards.
Compliance, Evidence & Engineering Enablement
  • Automated Evidence: Ensure application security controls satisfy SOC 2 Type II and PCI DSS requirements via automated pipeline collection.
  • Audit Support: Support audits and customer assurance reviews by providing technical context and clear remediation narratives.
  • Security Training: Run secure coding workshops, threat modelling enablement, and post incident learning sessions for engineers.
  • Incident Response: Contribute to incident response for application security events through root cause analysis and blameless post mortems.
What We Offer
  • Hybrid working - work in the office with flexibility to work remotely as needed.
  • Private medical insurance - comprehensive health cover with option to add family.
  • Life assurance and income protection - peace of mind for the future.
  • Family friendly policies - enhanced leave beyond maternity and paternity.
  • Work from anywhere - approval to work abroad for up to 4 weeks each year.
  • Flexible holiday package - 25 days paid holiday plus public holidays, with option to rebook or trade.
  • Company pension scheme - salary exchange to save on tax and build a secure future.
  • Employee assistance programme - confidential counselling helpline.
  • Electric car scheme - brand new electric vehicle with salary sacrifice.
  • Health cash plan - reimbursement for everyday healthcare costs. . click apply for full job details
About Finova Technologies Private Limited
Apply Now