Senior Application Security Engineer

Pluxee (Formerly Sodexo Benefits & Rewards)

The leading global employee benefits and engagement partner that opens up a world of opportunities to help everyone enjoy more of what really matters to them. We believe that living life to the full means making the most of every moment and sharing experiences with the people we care about.

Through a full range of innovative and digital solutions deployed in 29 countries, Pluxee creates meaningful, engaging, and personalized experiences to contribute to the well-being of individuals at work and beyond. From meal and food, culture, gifts to wellness and mobility, Pluxee’s products and services are designed to bring more value to people. Pluxee supports the purchasing power and promotes the well-being of more than 37 million consumers.

Pluxee accompanies 500,000 clients to develop more meaningful relationships with their employees and improve their engagement. Pluxee simplifies the life of 1.7 million merchants every day. Strengthened by its historical ties with Sodexo, Pluxee with its 5,400 employees is committed to increase its influence as CSR leader by giving its clients, partners and consumers the means to make more sustainable choices every day.

We are Pluxee, ex- Sodexo Benefits and Rewards Services, we’re inventing entirely new ways to influence and enrich the lives of employees worldwide.

We bring to life benefit platforms and payment solutions to open up a world of opportunities to our 500,000 clients and 37 million of their employees in 29 countries.

Are you looking to shape the future of employee benefits and engagement?

Be the change. Let’s go above and beyond.

For more information: www.pluxeegroup.com; https://www.pluxee.com.tr/

• Perform threat modeling, security design reviews, and support secure architecture processes.
• Conduct static (SAST) and dynamic (DAST) code analysis, penetration testing, vulnerability assessments, and secure code reviews on applications.
• Lead the integration of SAST, DAST, SCA, IAST, and RASP tools into CI/CD pipelines and implement adequate security guardrails.
• Take accountability as the technical project owner and coordinate with stakeholders to guarantee successful delivery in security tool implementations (e.g., SAST, DAST, DAM, WAF).
• Ensure application security is embedded throughout the Secure Development Lifecycle (SDLC) by collaborating with developers, architects, and product teams.
• Design, review, and maintain Web Application Firewall (WAF) policies, ensuring effective protection against application-layer attacks.
• Collaborate closely with DevOps and development teams to embed security into infrastructure, CI/CD pipelines, and cloud-native environments.
• Manage and contribute to pen-test and bug bounty programs, conduct security trainings, and mentor development teams in secure coding practices.
• Support internal audit and regulatory compliance activities (PCI-DSS, KVKK, GDPR, ISO27001, HIPAA, etc.).
• Provide application-level insights and recommendations during incident response activities.
• Act as a subject matter expert (SME) in at least one technical area and provide security guidance to engineering teams.
• Implement and oversee Database Activity Monitoring (DAM) solutions to detect, analyze, and respond to suspicious or unauthorized activities in databases.

• Bachelor’s degree in Computer Science, Software Engineering, or a related field, or equivalent professional experience.
• Minimum 5 years of experience in enterprise application security, penetration testing, or DevSecOps.
• Hands-on experience with SAST, DAST, SCA, IAST, WAF tools, and their integration into development workflows.
• Strong knowledge of secure coding practices, vulnerability management, and industry standards such as OWASP Top 10, OWASP ASVS, and NIST.
• Development or scripting background; preferably Python, Ruby, Java, Go, C#, or JavaScript.
• Experience with CI/CD and DevOps tools (GitLab CI, Jenkins, Docker, Kubernetes) and cloud environments (AWS, Azure, GCP).
• Strong communication skills with the ability to deliver security awareness and technical training.
• Preferred certifications: OSCP, OSWE, CISSP, CISM, CEH, or equivalent.

• Prior experience in penetration testing and bug bounty program management.
• Involvement in incident response within highly regulated industries (finance, payments, healthcare, etc.).
• Expertise in web, mobile, microservices, databases, and API security.

• Opportunity to shape and drive application security strategy within a fast-paced and impactful role.
• Chance to build and scale bug bounty programs, implement automated security pipelines, and foster a strong security culture.

Preferred: Istanbul, Turkey Hybrid ( 2 days a month in the office )

A meaningful job: build the future of employee benefits and contribute to the quality of life at work for others, you will impact positively local communities too. It counts!

A great culture: we respect and care authentically about our people, we embrace work life balance, new ideas and we have a lot of fun!

Employee experience is what we do: So, you can expect a comprehensive package including competitive salary + annual bonus based on performance + PluxeeFlex (flex benefits) + career development opportunities.+ extra welcome leave (6 days) in your first year.

Our company will process the personal data you may submit within the scope of your application as a controller to evaluate your application for the position you have applied or further recruitment opportunities in association with your application. As a candidate, all communication between you and our company is protected according to Turkish Personal Data Protection Law No.6698 You can click on the link “https://www.pluxee.com.tr/kilavuz/calisan-adayi-aydinlatma-metni/”for details