AppSec Engineer

OnePay is the consumer fintech trusted by millions of Americans to make money better.

Our financial system is broken. High fees, low rates, and too few ways to actually grow your money. We’re fixing it. And we’re moving fast.

We’re an all-in-one financial services platform that brings together banking, high-yield savings, credit cards, point-of-sale lending, investing, and crypto in one place. We also partner with employers, HCM providers, gig platforms, and others to deliver embedded financial services to millions of employees and frontline workers.

We’re backed by Walmart, the world’s largest retailer, and Ribbit Capital, one of fintech’s most respected investors, giving us rare scale, distribution, and the opportunity to build something truly category-defining.

But what really sets OnePay apart is how we move. Our customers don’t have time to wait… and neither do we. This place moves fast, and we’re looking for people who are:

• Ready to run

• Hungry and driven by urgency

• Exceptional at what they do, with low ego

• Comfortable operating in motion

Our Application Security Engineers play a pivotal role in safeguarding our platform, driving everything from designing secure AWS architectures to embedding automated threat detection that protects customer transactions. Your work will ensure we meet rigorous compliance standards (PCI, CCPA, GLBA) and maintain the highest levels of trust and reliability for our users.

• Perform secure code reviews and static/dynamic analysis; oversee remediation with dev teams

• Conduct threat modeling sessions and risk‑driven design reviews early in development

• Automate repetitive security tasks—vulnerability triage, code scanning, tool orchestration

• Build and extend in-house AppSec automation frameworks or pentest tooling

• Architect and implement secure AWS configurations (IAM roles/policies, encryption keys, VPC segmentation)

• Embed security into CI/CD pipelines and repos using policy-as-code tools (pre-commit hooks, SAST/SCA, IDE tool integrations)

• Secure container and orchestration environments (EKS, Kubernetes, Docker) per best practices

• Partner with security architecture and detection teams (SIEM tuning, logging, telemetry alignment)

• Develop and enforce AppSec standards and patterns across product teams; iterate through feedback loops

• Support regulatory or compliance assessments (PCI, CCPA, GLBA) as needed

• 8–12 years’ experience in application security engineering, DevSecOps, or security platform engineering

• Solid threat modeling and secure code review skills; SAST/SCA tool proficiency

• Experience scripting automation (e.g. Python, Bash, PowerShell) to streamline AppSec tasks

• Capability to lead in-house AppSec frameworks or tooling development

  Deep familiarity with CVSS, MITRE ATT&CK frameworks, OWASP Top 10 and CWE taxonomy

• Proven experience with AWS core services: IAM, KMS, VPC, EC2, RDS, EKS

• Hands-on expertise in securing IaC and CI/CD pipelines; strong knowledge of policy-as-code tooling

• Container security experience: Docker, Kubernetes, EKS-related threat surfaces

• Strong communicator, able to translate technical findings to non-technical stakeholders

• Track record of defining and institutionalizing security architecture patterns

We use Node and TypeScript on the server, leveraging the NestJS framework within a microservice-oriented architecture running on Kubernetes and AWS. On the client side, we build and ship product features for iOS, Android, and web platforms using React Native. While you don’t need experience with our exact stack, familiarity with modern software engineering practices will help you ramp up quickly.

• Competitive base salary, stock options, and health benefits from Day 1

• 401(k) plan with company match

• Remote-friendly (US), flexible time off (FTO), and opportunities for growth

• A high-growth, mission-driven, inclusive culture where your work has real impact

• Initial Interview with Talent Partner

• Technical or Hiring Manager Interview

• Team Interview

• Executive Interview

• Offer!

To build technology and products that are used and loved by people and solve real-world problems, we need to build a team with many different perspectives and experiences. We are an equal opportunity employer. We do not discriminate on the basis of race, religion, color, national origin, gender, sexual orientation, age, marital status, veteran status, or disability status. We encourage candidates from all backgrounds to apply. Applicants in need of special assistance or accommodation during the interview process or in accessing our website may contact us at [email protected].