Security engineer

• Own and operate the application vulnerability management lifecycle for the client, from detection and validation to prioritization, remediation tracking, and closure.
• Run, tune, and continuously improve application security testing across SAST, DAST, SCA, container and cloud scanners, and manual validation where needed.
• Perform triage of findings (false positive analysis, deduplication, exploitability assessment), apply CVSS scoring, and align with risk appetite, SLAs, and regulatory expectations.
• Collaborate with development and platform teams to plan and implement remediations, workarounds, or compensating controls; support patch management coordination where applicable.
• Integrate and automate vulnerability workflows with CI/CD pipelines and ticketing systems to enable shift-left and continuous security testing.
• Define and maintain secure coding standards, OWASP ASVS-aligned requirements, and guardrails; contribute to threat modeling and secure design reviews for critical applications.
• Coordinate targeted penetration tests, support red team exercises, and manage bug bounty triage in alignment with the client's policies.
• Establish dashboards and KPI/KRIs for application security posture; create executive and technical reporting for risk committees and product owners.
• Manage exception processes and risk acceptance with time-bound remediation plans and temporary controls.
• Contribute to policy and process improvements aligned to OWASP, NIST SSDF, ISO/IEC 27001/27034, and banking regulatory frameworks (including DORA readiness).
• Provide hands-on guidance, secure coding clinics, and knowledge transfer to engineering teams to foster a strong security culture.
• Respond to emerging threats and zero-day exposures with rapid assessment, impact analysis, and interim mitigation strategies.
• Ensure segregation of duties, proper access management for security tools, and data protection throughout scanning and reporting.
• As a Keystone Solutions consultant, document and communicate deliverables clearly, uphold consulting quality standards, and support continuous improvement across the client engagement., * Work on diverse products within the client's application landscape, from customer-facing banking portals and APIs to internal platforms and microservices.
• Address varied technology stacks and delivery models, enabling you to broaden your technical and consulting toolkit.
• Contribute to future Keystone Solutions missions across other clients and sectors as your journey progresses.

Turbo-Charged Learning and Development:

• Continuous learning culture with access to curated training paths, certifications support, peer coaching, and knowledge-sharing communities.
• Guidance from senior Keystone Solutions consultants and practice leads to accelerate your technical depth and consulting impact.

Ambition Skyrocketing within a Consultancy Framework:

• A clear growth path through increasing mission complexity, ownership of client outcomes, and the opportunity to mentor others.
• Recognition for measurable impact-improving security posture, reducing risk exposure, and elevating secure engineering maturity at client sites.

Emphasizing Keystone Solutions' Values in a Consultancy Context:

• We deliver with integrity, excellence, and empathy-being a K-Stone means bringing these values to every client interaction.
• We collaborate openly, challenge constructively, and champion pragmatic security that enables the client's business.
• We take ownership end-to-end, ensuring traceable outcomes, clear communication, and sustainable improvements.

Practical Details:

• Location: Brussels, client site in the banking sector; hybrid on-site/remote according to client policy.
• Engagement: Full-time consultancy mission through Keystone Solutions, with the possibility of subsequent projects across our client portfolio.
• Start: As soon as available, aligned with client onboarding timelines.

Do you have experience in TypeScript?, * Proven experience in application security or vulnerability management in complex, regulated environments (financial services experience strongly valued).

• Deep knowledge of OWASP Top 10, OWASP ASVS, CWE, and practical remediation strategies for web, API, and mobile vulnerabilities.
• Hands-on with application security tooling such as SAST (e.g., Checkmarx, Fortify), DAST (e.g., Burp Suite, OWASP ZAP), SCA (e.g., Snyk, Black Duck), container and IaC scanners, and code review practices.
• Solid understanding of secure SDLC and CI/CD integration (e.g., GitLab/GitHub/Azure DevOps), including automation of security gates and quality thresholds.
• Ability to analyze risk using CVSS, map to business impact, and prioritize remediation according to SLAs and regulatory constraints.
• Familiarity with frameworks and standards relevant to banks, such as NIST SSDF, ISO/IEC 27001/27034, PCI DSS (where applicable), and DORA preparedness.
• Practical knowledge of at least one major programming ecosystem (e.g., Java, .NET, JavaScript/TypeScript, Python) to propose concrete remediation guidance.
• Experience with ticketing and reporting workflows (e.g., Jira, ServiceNow) and building stakeholder-centric dashboards.
• Strong communication skills to explain risk and remediation trade-offs to both engineers and non-technical stakeholders.
• Fluent in English; French and/or Dutch is an asset in the Brussels context.

Nice to Have:

• Knowledge of cloud security for AWS, Azure, or GCP and associated application scanning approaches (serverless, containers, Kubernetes).
• Experience coordinating or performing penetration testing and threat modeling at scale.
• Certifications such as CISSP, CSSLP, GWAPT, OSWE, or equivalent practical track record.
• Exposure to data protection and privacy-by-design in application architectures.