MoonPay - Application Security Engineer

• Conduct threat modelling reviews of Technical Design Documents (TDDs) for new and existing features, providing clear, actionable security recommendations early in the design process. • Perform and support application security assessments, including penetration testing, vulnerability assessments, and proof-of-concept (PoC) development where appropriate. • Investigate, triage, and respond to Bug Bounty program submissions, validating findings and working with engineering teams to drive timely remediation. • Own and continuously improve application-layer protections, including managing and tuning Cloudflare WAF and related security controls. • Partner closely with engineering teams to embed security best practices throughout the SDLC, from design and development through deployment and maintenance. • Research and track emerging threats and vulnerabilities, translating findings into practical mitigation strategies relevant to our technology stack. • Develop and deliver security guidance, training, and awareness for engineering teams to raise the overall security maturity of the organization. • Contribute to the creation, maintenance, and evolution of security standards, processes, and documentation. • Participate in and eventually lead incident response activities, supporting investigation, containment, remediation, and post-incident improvements. • You have developed a breadth of experience across multiple security domains, including web and mobile application security, infrastructure and cloud security, and can connect these areas to drive a holistic security approach. • You have hands-on experience performing white-box, source code-assisted web and mobile application penetration testing, from vulnerability discovery through triage and exploitation. • You have the ability to read, understand, and review source code to identify security issues, with ideally, a particular focus on JavaScript and TypeScript codebases. • You have a strong understanding of Threat Modelling principles and their practical application to the secure software development lifecycle (SDLC). • You have experience working with web application firewalls to help protect applications, assess coverage, and support tuning rules to mitigate common attack patterns. • You have experience embedding application security practices into CI/CD pipelines, enabling early detection of vulnerabilities and close collaboration with engineering teams throughout the development lifecycle. • You have collaborated closely with engineering teams to clearly communicate security findings, explain vulnerabilities, attack paths, and mitigations, and support the implementation of effective fixes for both technical and non-technical audiences. • You are self-motivated, proactive, and take strong ownership of your work, operating effectively in a remote environment while maintaining a collaborative, team-focused mindset. • You have experience in JavaScript and TypeScript, including the ability to read, understand, and reason about modern web application codebases. • You have experience working with Cloudflare, including its hosting and Web Application Firewall (WAF) capabilities, to help secure and operate internet-facing applications. • You have experience testing and securing GraphQL, REST APIs, including understanding common GraphQL/REST-specific attack vectors and security considerations. • You have experience or a strong interest in Web3 security testing, including assessing smart contracts, blockchain-based applications, or Web3 integrations. • You have an interest in agentic engineering, including emerging patterns in autonomous systems, tooling, or workflows, and their security implications.