Application Security Engineer

Pennymac (NYSE: PFSI) is a specialty financial services firm with a comprehensive mortgage platform and integrated business focused on the production and servicing of U.S. mortgage loans and the management of investments related to the U.S. mortgage market.

At Pennymac, our people are the foundation of our success and at the heart of our dynamic work culture. Together, we work towards a unified goal of helping millions of Americans achieve aspirations of homeownership through the complete mortgage journey.

TheApplication Security Engineer will be a part of our Information Security department and work closely with development teams, product teams, and other stakeholders across the organization. TheApplication Security Engineerwill integrate security into the product lifecycle from design through deployment, with a strong emphasis on cloud environments, secure coding, vulnerability management, attack surface reduction and DevOps practices. The engineer will be responsible for implementing and maintaining advanced security measures to safeguard Pennymac's software systems, applications, code, and related components. The ideal candidate will have a strong background in both cloud and on-premises environments, proficiency in scripting languages (particularly BASH and/or PowerShell), and the ability to understand multiple programming languages. Key responsibilities include managing security across multiple applications, CI/CD pipelines, Infrastructure as Code (IaC) practices, and conducting risk assessments. The role requires a blend of technical expertise in cloud platforms (primarily AWS, with some GCP exposure), system administration skills across Linux and Windows environments, and the ability to effectively communicate complex security concepts to both technical and non-technical audiences. This position offers the opportunity to drive security innovation, mentor junior staff, and contribute to the development of comprehensive, multi-year cybersecurity strategies for Pennymac.

TheApplication Security Engineerwill:

• Work with product teams throughout the entire SDLC to ensure code is secure by design, secure by default, secure in deploymentand communication.
• Implement and maintain key security platforms including DAST, SAST, SCA, CSPM to enhance the organization's security posture.
• Provide subject matter expertise on application security domains, including secure coding practices, continuous integration anddeployment, and threat modeling.
• Perform application code analysis and contribute to security-related code reviews and scanning capabilities across multipleprogramming languages (e.g., Ruby, Python, Bash, TypeScript, Java, JavaScript, C++, Go).
• Develop and maintain scripts to automate security processes and enhance efficiency.
• Stay current with emerging security threats, technologies, and best practices, applying this knowledge to continuously improvePennymac's security posture.
• Build relationships with development teams to foster an inclusive culture.
• Provide subject matter expertise on application security domains including secure coding practices, continuous integration andcontinuous deployment, and threat modeling.
• Participate in and provide support during high-priority cybersecurity incidents.
• Configure cybersecurity systems to monitor and protect serverless and container based computing applications.
• Work cross-functionally with DevOps, application development, database, and infrastructure teams to develop and maintain complexsystems that involve integration across in-house developed, COTS, and open-source components.
• Establish oneself as a trusted security advisor leading the design, definition and implementation of security best practices andstandards and ensure product development teams integrate them into their development workflow.
• Support the establishment, implementation, and governance of secure development standards and security baseline requirements.
• Drive threat modeling, risk assessment, penetration test findings analysis, and security technology assessments.
• Maintains an open communication channel with operations, development, and product teams to ensure security is integrated earlyand is working to solve business needs.
• Mentor junior staff to develop understanding of DevSecOps, Application Security, and Information Security.

• 2+ Years Experience in Cyber Security
• Approximately 3+ years of experience in programming and/or scripting languages.
• Ability or aptitude to operate within Gitlab and Azure DevOps source code and CI/CD technology stacks.
• Experience dealing with secure network and system design in Amazon Web Services (AWS)
• Expert understanding of secure configuration management and security controls.
• Experience reviewing SAST, DAST, penetration test, and SCA results and providing remediation recommendations.
• Experience performing application code analysisacross multipleprogramming languages (e.g., Ruby, Python, Bash, TypeScript, Java, JavaScript, C++, Go).
• Capable of architecting, engineering, and operationalizing application security technologies through plan, development, build, test,release, deploy, operate, and monitor phases of the SDLC.
• Experience in developing and/or reviewing secure development standards that incorporate regulatory and industry best practices.
• Desired experience with Web Penetration Testing tools for validation of security requirements.
• Excellent problem solving, critical thinking, interpersonal, collaboration, written and verbal communication skills.
• Must have a mindset of continuous improvement of people, processes and technology.
• Ability to work independently and self-motivate.

As one of the top mortgage lenders in the country, Pennymac has helped over 4 million lifetime homeowners achieve and sustain their aspirations of home. Our vision is to be the most trusted partner for home. Together, 4,000 Pennymac team members across the country are guided by our core values: to be Accountable, Reliable and Ethical in all that we do.Pennymac is committed to conducting a business that makes positive contributions and promotes long-term sustainable growth and to fostering an equitable and inclusive environment, where all employees and customers feel valued, respected and supported.

Benefits That Bring It Home: Whether you're looking for flexible benefits for today, setting up short-term goals for tomorrow, or planning for long-term success and retirement, Pennymac's benefits have you covered. Some key benefits include:

• Comprehensive Medical, Dental, and Vision
• Paid Time Off Programs including vacation, holidays, illness, and parental leave
• Wellness Programs, Employee Recognition Programs, and onsite gyms and cafe style dining (select locations)
• Retirement benefits, life insurance, 401k match, and tuition reimbursement
• Philanthropy Programs including matching gifts, volunteer grants, charitable grants and corporate sponsorships

To learn more about our benefits visit: https://pennymacnews.page.link/benefits

For residents with state required benefit information, additional information can be found at: https://www.pennymac.com/additional-benefits-information

Compensation: Individual salary may vary based on multiple factors including specific role, geographic location / market data, and skills and experience as defined below:

• Lower in range - Building skills and experience in the role
• Mid-range - Experience and skills align with proficiency in the role
• Higher in range - Experience and skills add value above typical requirements of the role

Some roles may be eligible for performance-based compensation and/or stock-based incentives awarded to employees based on company and individual performance.