Application Security Engineer

Are you looking to have an impact on the daily life of millions of entrepreneurs in France and Europe?

Do you thrive in a trustful, fast-paced environment?

Do you feel like our Engineering principles are aligned with your vision ?

Then Pennylane might be the right place for you — and you, might be the perfect fit for this role

**Our vision**

We aim to become the most beloved financial Operating System of European SMEs.

We help business owners get rid of the time consuming hassle of handling accounting and finance, while giving them access to key information that they can use to make better decisions.

Meanwhile, we’re helping accountants. By using Pennylane, rather than doing manual and repetitive tasks, they can spend more time advising and guiding their clients.

**About us**

Pennylane is one of the fastest growing Fintechs in France (and soon to be in Europe)

In 4 years of existence, we’ve managed to:
Make ourselves known as a groundbreaking accounting and financial software for small businesses and their accountants

Raise a total of €84 millions, including from Sequoia, the famous fund from the Silicon Valley who invested early in companies like Google, Facebook, Airbnb, Stripe, Paypal and much more...

‍‍‍ Grow from 7 cofounders to 370+ happy Pennylaners : we’re now recognized as one of the greatest places to work in France (but also remotely), with a 5/5 rating on Glassdoor and an e-NPS of 94.

Build an international environment with more than 26 nationalities, with a strong remote-friendly culture, where 30% of the employees are already working from all parts of Europe

Earn the trust of thousands of customers and accounting firms and obtain outstanding ratings

**WHY this position is of utmost importance to reach our mission**

We are looking for an Application Security Engineer to join Louis and Romain in the technical security team. Reporting directly to Guillaume, our Head of Information Security, you will be responsible for all technical matters involving security issues. Working with the security compliance team, you may be required to provide technical support to the team in the definition and monitoring of long-term projects designed to strengthen the security of our assets in a sustainable manner. You will have a key role in advising, assisting, informing, training and alerting all employees (especially developers). You will also be responsible for the day-to-day management of technical operations in the context of ISO 27001 certification.

The technical security team is involved from the identification/detection of a security issue to its resolution (development and implementation of the security patches). If the needs or the complexity of the patch are too great, the security team can count on the support of the developers and in particular the Security Champions team to sustain the effort.

**Your tasks**

You will be required to work on:

- All technical security issues/projects while providing technical support on compliance needs

Let’s break it down
- Security by design within the projects by discussing with the teams to consider the security risks
- To be proactive in the security projects to be carried out, to define and to prioritize them
- Ensure compliance with ISO 27001 controls (processes) related to development (mandatory code practices, validation, patch management, vulnerability management, etc.) by training developers, monitoring projects (tech, product), conducting regular internal audits and managing tech non-conformities
- Conducting code reviews from a secure development point of view (about 80 releases per day, not all of which have security implications, but it is an important and recurring topic)
- Build/Improve secure development training materials and conduct regular training sessions with the developers
- Contribute to tenders to explain our security policies and provide the necessary technical details

Learn about Rails and React to detect vulnerabilities during code reviews and implement associated patches
- Strengthen the current means of detecting malicious attempts

These missions are not exhaustive and remain evolving.
- Working in an English-speaking environment doesn't scare you, you don't need to be bilingual. You need to be able to share your ideas and thoughts well in spoken and written English and to understand what is being said. If you need help with this, we can provide you with a Busuu subscription to improve your English immediately.
- You ideally have the following skills/experience
- You know how to exploit and fix a wide range of Web vulnerabilities (not just the OWASP top 10)
- You already have an experience in a programming language (Ruby, Python, JavaScript), either for quick and dirty scripting to exploit a vulnerability or for larger projects
- You have an experience in cloud infrastructure security
- You are able to popularize technical terms to facilitate the adoption of security measures within projects or to