Application Security Engineer

Founded in 1991, we are a global quantitative and systematic asset management firm applying a scientific approach to finance to develop alternative investment strategies that create value for our clients.

We value innovation, dedication, collaboration, and the ability to make an impact. Together, we create a stimulating environment for talented and passionate experts in research, technology, and business to explore new ideas and challenge existing assumptions.

Are you passionate about application security and ready to serve as a subject matter expert in both application security and securing the software development lifecycle? In this role, you’ll be instrumental in protecting our low‑latency processing systems and trading platforms across diverse environments. Reporting directly to the Director of Application Security, you will work collaboratively with development, infrastructure, and operations teams to embed security into every phase of our process and into company culture.

• Serve as the internal point of reference and subject matter expert on application security and software factory security.
• Design, implement, and maintain the essential tools to ensure secure CI/CD pipelines with robust security controls, including automated testing, secrets detection, compliance checks, software composition analysis, and vulnerability management.
• Support our development teams in addressing identified findings and ensuring compliance with secure coding practices to align with industry standards for both cloud and on‑premises environments, while promoting a culture of ongoing security enhancement.
• Participate in design reviews, threat modeling, and architecture assessments to proactively identify and mitigate security risks in new and existing solutions.
• Work with our Core and Architecture team to establish and enforce solutions for encryption, authentication (both human and machine), access control (role‑and‑attribute‑based), secret management, and secure configurations in cloud (AWS, GCP, or Azure) as well as on‑premises environments.
• Develop, monitor, and report indicators to track security performance and drive continuous improvement.

• Bachelor’s degree (or equivalent practical experience) in Computer Science, Information Security, or a related field.
• A minimum of 4 years of hands‑on experience in application security, with proven expertise securing modern architectures—including cloud environments, containerized applications, serverless platforms, APIs, and traditional on‑premises systems.
• Hands‑on experience with security testing tools (e.g., SAST, DAST, IAST, SCA, SBOM).
• Ability to design, configure, implement, and maintain these tools as part of production CI/CD pipelines, ensuring accurate vulnerability detection, low noise, and minimal impact on deployment speed and stability.
• Demonstrable experience implementing and managing secure CI/CD pipelines and integrating DevSecOps practices.
• Proficiency in Linux environments, networking protocols (TCP/IP, UDP, HTTP, HTTPS), and microservices architectures.
• Expertise on authentication and authorization protocols including but not limited to SAML, OAuth2, and OpenID Connect.
• Strong coding skills in Python with the ability to read, analyze, and communicate code vulnerabilities to both technical and non‑technical audiences.
• Clear understanding of web development fundamentals such as REST APIs, cookies, same-origin policy, and cross-origin resource sharing.
• Familiarity with common security frameworks and methodologies (e.g., OWASP Top 10, NIST SSDF).
• Excellent written and verbal communication skills, with proven ability to transform complex technical concepts into clear business and security recommendations.

• An advanced certification such as Certified Secure Software Lifecycle Professional (CSSLP) is highly desirable.
• Demonstrated expertise in cloud security across AWS, GCP, or Azure, and extensive experience securing on‑premises systems to ensure a cohesive security posture across all environments.
• Strong background in implementing and managing Infrastructure as Code (IaC) and automation tools (e.g., Terraform, Ansible, CloudFormation).
• Experience with threat modeling or conducting comprehensive security audits.

We are continuously striving to be an equal‑opportunity employer and prohibit any discrimination based on sex, disability, origin, sexual orientation, gender identity, age, race, or religion. We believe that our diversity, breadth of experience, and multiple points of view are among the leading factors in our success.

CFM is a signatory of the Women Empowerment Principles.

Follow us on Twitter or LinkedIn or visit our website to find out more about CFM.