Senior Application Security Engineer

Join to apply for the Senior Application Security Engineer role at Rain

Rain is the fastest-growing earned wage access (EWA) fintech in the U.S., serving 3.5 million employees and backed by top investors like QED and Prosus. We are seeking a skilled and driven Senior Application Security Engineer to join Rain's growing Security team. This role focuses on secure software development and cloud-native defense and involves working with engineering squads and the Cloud Security and GRC teams to improve Rain's application and platform security posture. It is technically grounded, with direct engagement in application-layer matters and security reviews, and contributions to cloud security automation, awareness initiatives, and secure engineering practices across the SDLC.

• Collaborate with development squads to validate vulnerabilities and provide actionable remediation guidance aligned with business risk.
• Drive threat modeling sessions for critical systems and APIs.
• Design, implement, and oversee automated processes for securely updating application and code dependencies, ensuring timely remediation.
• Integrate security checks into CI/CD pipelines (SAST, DAST, SCA, IaC) using tools like Semgrep, Snyk, Trivy, and Burp Suite.
• Contribute to runtime security initiatives (container/Kubernetes hardening, RASP, eBPF-based detection).
• Build and maintain a security issues dashboard to track remediation status and metrics.
• Provide real-time support during cybersecurity incidents impacting applications or cloud infrastructure.
• Partner with the Cloud Security team on automation tasks and monitoring improvements (e.g., Security Hub remediation automations, DLP monitoring).
• Conduct proactive research on new threats and attack techniques relevant to Rain’s architecture.
• Collaborate with the GRC team to develop and deliver internal security awareness initiatives (phishing campaigns, secure coding training for developers).
• Participate in the continuous improvement of AppSec maturity (e.g., OWASP SAMM, ISO 27001, SOC 2).

• Fluent English with strong verbal and written skills; excellent communication to convey security risks to technical and non-technical stakeholders.
• 3–5+ years in application security, penetration testing, or secure code development, including work with QA teams.
• Hands-on experience with SAST, DAST, and SCA tools (e.g., Semgrep, Burp, Snyk).
• Deep understanding of web, mobile, and API vulnerabilities (OWASP Top 10, API Top 10, MITRE CWE).
• Proven expertise in code reviews or security assessments and clear reporting.
• Proficiency in at least one backend language (e.g., Go, Python, Node.js) and understanding of React/React Native front-ends.
• Familiarity with secure architecture of microservices, event-driven systems, and REST APIs using OAuth2/OpenID Connect.
• Experience securing CI/CD pipelines and integrating AppSec tooling into SDLC.
• Solid knowledge of containerization and Kubernetes security fundamentals.
• Understanding of cloud security (preferably AWS), including IAM, cloud-native configurations, and network segmentation.
• Comfort with Agile methodologies and working in cross-functional squads.
• Software supply chain security (e.g., SBOM, artifact signing).

• Certifications such as OSCP, OSWE, GWAPT, CPTE, or CSSLP.
• AWS, GCP, or Azure Security Specialty certification.
• Familiarity with bug bounty triage and vulnerability management platforms (e.g., DefectDojo).
• Experience implementing RASP or eBPF runtime protection tools.
• Exposure to LLM/AI security considerations and secure code generation practices.
• Familiarity with logging and monitoring tools (e.g., CloudWatch, Datadog, Grafana).

Rain is a diverse, mission-driven company that values data-guided action, fast execution, and continuous learning. We are committed to Equal Employment Opportunity and do not discriminate based on race, religion, color, national origin, ethnicity, gender, sex (including pregnancy), protected veteran status, age, disability, sexual orientation, gender identity, gender expression, or any unlawful criterion under applicable laws. If you need assistance or accommodation due to a disability, you may contact us at ******.

Note: This posting reflects the current opening and is not a guarantee of employment status. Referrals increase your chances of interviewing at Rain.

Location note: New opportunities in Rio Verde, Goiás, Brazil.