Application Security Engineer

Are you looking to have an impact on the daily life of millions of entrepreneurs in France (and tomorrow in Europe)? Are you looking for a work environment that values trust, proactivity, and autonomy? Then Pennylane is the right place for you.

Our vision: We aim to become the most beloved financial Operating System of French SMEs and Accounting Firms, and soon European ones. We help entrepreneurs with time-consuming accounting and finance tasks and provide key financial information to help make better business decisions. Responsibilities

• Participate in the internal Security By Design process: assess the security impact of new features from design to deployment and ensure the integration of appropriate security mechanisms.
• Ensure the security of the main web application (Ruby on Rails and React): covering dependencies, code, infrastructure, and configuration.
• Maintain security and compliance for other applications and the AWS infrastructure, particularly the Kubernetes environment (AWS EKS).
• Conduct regular audits (internal or external) on applications (code reviews, penetration tests, bug bounty programs) and infrastructure.
• Ensure compliance with ISO 27001 controls related to development (coding practices, validation, updates, vulnerability management), through training, monitoring, audits, and management of non-conformities.
• Perform security-focused code reviews for developers (high volume of production releases) and provide guidance on security implications.
• Build and improve training materials for secure development and lead training sessions for developers.
• Strengthen detection and response capabilities for security incidents, proposing solutions against technical or fraud-related threats.
• Contribute to bids and proposals to explain security policies and provide technical details.

You're an experienced/senior application security professional with broad interest in security topics (application, Cloud infrastructure, security by design, ISO 27001, training, etc.).

Working in an English-speaking environment is important; you should communicate clearly in writing and speaking. If needed, support is provided to improve English proficiency.

Ideally, you possess the following:

• Ability to conduct offensive/defensive security audits on infrastructure or applications.
• Proficiency in exploiting and fixing web vulnerabilities beyond the OWASP Top 10.
• Experience with a programming language (Ruby, Python, JavaScript) for scripts or projects.
• Experience with Cloud infrastructure security.
• Ability to simplify technical language to help integrate security measures into projects and communicate with Pennylane teams.
• Autonomous, proactive, and organized; comfortable working with remote colleagues., * English communication ability (level assessed by department).
• Energetic about a dynamic work environment.
• Highly collaborative across teams and stakeholders.
• Experience prioritizing business-led actions in daily tasks.

We encourage applicants who may not meet every criterion. We value diversity, equity, and inclusion and provide equal opportunities regardless of background or identity.

Bonus: Experience developing in Ruby or React and/or certifications in application security. A versatile profile is valued. Recruitment process

• Initial chat with the Technical Recruiter (30 min).
• Discussion with the future team for a technical overview (30 min).
• Complete a technical challenge within 48 hours and then discuss with the team (1 hour).
• Meeting with the Head of Information and Security (40 minutes).
• Final culture-fit interview with a co-founder (30 minutes).

We aim for a fast process, typically lasting 15 to 25 days. What we offer

• Remote work from your European country, within two hours of CET.
• 25 paid vacation days.
• Competitive compensation package.
• Company shares.
• Home workspace budget and coworking space allowance.
• Wellness and fitness access via Gymlib (8000 spaces, 300 activities).
• Busuu access to improve English or French.
• Latest Apple equipment.
• Regular company events (Tech Days, annual seminar) for team cohesion.

For France-based hires, a French contract with additional benefits (RTT, PTO, lunch credits, healthcare, events) is provided. Availability of these benefits outside France varies by country.