Application Security Engineer - Remote Role at MoonPay

About the Role

We are seeking an Application Security Engineer to join our team at MoonPay. This remote position offers an exciting opportunity to contribute to the security of our digital payment platform. As an Application Security Engineer, you will play a crucial role in ensuring the safety and integrity of our systems, making financial freedom accessible to everyone.

What You'll Do

• Conduct threat modeling reviews of Technical Design Documents (TDDs) for new and existing features, providing clear, actionable security recommendations early in the design process.
• Perform and support application security assessments, including penetration testing, vulnerability assessments, and proof-of-concept (PoC) development where appropriate.
• Investigate, triage, and respond to Bug Bounty program submissions, validating findings and working with engineering teams to drive timely remediation.
• Own and continuously improve application-layer protections, including managing and tuning Cloudflare WAF and related security controls.
• Partner closely with engineering teams to embed security best practices throughout the SDLC, from design and development through deployment and maintenance.
• Research and track emerging threats and vulnerabilities, translating findings into practical mitigation strategies relevant to our technology stack.
• Develop and deliver security guidance, training, and awareness for engineering teams to raise the overall security maturity of the organization.
• Participate in and eventually lead incident response activities, supporting investigation, containment, remediation, and post-incident improvements.

Requirements

• Experience across multiple security domains, including web and mobile application security, infrastructure and cloud security.
• Hands-on experience performing white-box, source code-assisted web and mobile application penetration testing.
• Ability to read, understand, and review source code, particularly in JavaScript and TypeScript.
• Strong understanding of Threat Modeling principles and their practical application to the secure software development lifecycle (SDLC).
• Experience working with web application firewalls to help protect applications and assess coverage.
• Experience embedding application security practices into CI/CD pipelines.
• Ability to communicate security findings clearly to both technical and non-technical audiences.
• Self-motivated and proactive, with a collaborative mindset.

Nice to Have

• Experience with Cloudflare, including its hosting and Web Application Firewall (WAF) capabilities.
• Experience testing and securing GraphQL and REST APIs.
• Interest in Web3 security testing, including assessing smart contracts and blockchain-based applications.

What We Offer

• Competitive salary package.
• Equity package for all employees.
• Pay for performance equity bonus.
• Unlimited holidays for work-life balance.
• Hybrid working schedule - fully remote or at your nearest Moonbase.
• Private healthcare benefits.
• Annual training budget for professional development.
• Home office setup allowance.
• Remote working allowance for utilities.
• Employee referral program with rewards.

Join us as an Application Security Engineer and help shape the future of payments in the decentralized economy. This remote role is your chance to make a significant impact in a fast-growing company.