Role in brief
MoonPay is seeking a Senior Application Security Engineer to integrate security into their digital currency platform. This role involves conducting security assessments, improving application-layer protections, and collaborating with engineering teams to embed security best practices throughout the development lifecycle. This position is suitable for an experienced security professional with a background in web and mobile application security, cloud security, and penetration testing.
About the role
This role focuses on enhancing the security posture of MoonPay's digital currency platform. The Senior Application Security Engineer will conduct threat modeling reviews, perform application security assessments, and investigate bug bounty submissions. A key part of the work involves developing and improving application-layer protections, including managing and tuning web application firewalls to safeguard transactions.
The position requires close collaboration with engineering teams to integrate security practices into every stage of the software development lifecycle, from initial design through deployment. This includes providing security guidance, training, and contributing to security standards. The engineer will also research emerging threats and translate findings into practical mitigation strategies relevant to the company's technology stack.
Success in this role means proactively identifying and addressing security vulnerabilities, fostering a security-aware culture within engineering teams, and contributing to the overall security maturity of the organization. The engineer will support incident response activities and help evolve security processes, playing a critical part in protecting MoonPay's platform which facilitates digital currency transactions for millions of users globally.
The competitive salary for this full-time senior position ranges from $90,000 to $150,000 USD.
Skills that matter here
- application security: This role requires broad experience in application security to drive a holistic security approach across web and mobile platforms.
- penetration testing: The engineer will perform white-box, source code-assisted penetration testing for web and mobile applications.
- vulnerability assessments: This position involves conducting vulnerability assessments and developing proofs-of-concept to identify and validate security weaknesses.
- cloud security: Experience in cloud security is necessary to connect various security domains and ensure comprehensive protection.
- JavaScript: The ability to review and understand JavaScript source code is important for identifying security issues.
- web application firewalls: This role includes managing and tuning web application firewalls to protect applications and mitigate attack patterns.
Who this role suits
- Someone who is self-motivated and proactive, taking strong ownership of their work in a remote setting.
- An individual who can effectively communicate complex security findings to both technical and non-technical audiences.
- A person with a collaborative mindset, capable of partnering closely with engineering teams to embed security practices.
- Someone who thrives on researching emerging threats and translating findings into practical mitigation strategies.
From the employer
- Conduct threat modelling reviews of Technical Design Documents (TDDs) for new and existing features, providing clear, actionable security recommendations early in the design process.
- Perform and support application security assessments, including penetration testing, vulnerability assessments, and proof-of-concept (PoC) development where appropriate.
- Investigate, triage, and respond to Bug Bounty program submissions, validating findings and working with engineering teams to drive timely remediation.
- Own and continuously improve application-layer protections, including managing and tuning Cloudflare WAF and related security controls.
- Partner closely with engineering teams to embed security best practices throughout the SDLC, from design and development through deployment and maintenance.
- Research and track emerging threats and vulnerabilities, translating findings into practical mitigation strategies relevant to our technology stack.
- Develop and deliver security guidance, training, and awareness for engineering teams to raise the overall security maturity of the organization.
- Contribute to the creation, maintenance, and evolution of security standards, processes, and documentation.
- Participate in and eventually lead incident response activities, supporting investigation, containment, remediation, and post-incident improvements.
- You have developed a breadth of experience across multiple security domains, including web and mobile application security, infrastructure and cloud security, and can connect these areas to drive a holistic security approach.
- You have hands-on experience performing white-box, source code-assisted web and mobile application penetration testing, from vulnerability discovery through triage and exploitation.
- You have the ability to read, understand, and review source code to identify security issues, with ideally, a particular focus on JavaScript and TypeScript codebases.
- You have a strong understanding of Threat Modelling principles and their practical application to the secure software development lifecycle (SDLC).
- You have experience working with web application firewalls to help protect applications, assess coverage, and support tuning rules to mitigate common attack patterns.
- You have experience embedding application security practices into CI/CD pipelines, enabling early detection of vulnerabilities and close collaboration with engineering teams throughout the development lifecycle.
- You have collaborated closely with engineering teams to clearly communicate security findings, explain vulnerabilities, attack paths, and mitigations, and support the implementation of effective fixes for both technical and non-technical audiences.
- You are self-motivated, proactive, and take strong ownership of your work, operating effectively in a remote environment while maintaining a collaborative, team-focused mindset.
- Competitive salary ranging from $90K to $150K.
- Opportunity to work remotely.
- Join a team dedicated to building secure, scalable solutions for a blockchain-powered future.
Questions about this role
What is the remote work policy for this role?
This is a fully remote position, allowing the successful candidate to work from any location.
What level of seniority is expected for this position?
This is a senior-level role, requiring a breadth of experience across multiple security domains.
What are the key technical skills required?
Key technical skills include application security, penetration testing, vulnerability assessments, cloud security, and experience with JavaScript, TypeScript, and web application firewalls.