Key Responsibilities
- API & Ecosystem Architecture
- The API Fortress: Architect the security layer for our API Gateway (e.g., Kong,
Apigee, AWS Gateway). Define global policies for Rate Limiting, Throttling, and
Authorization (preventing BOLA/IDOR attacks).
- Supply Chain Security: Design secure integration patterns for our 3rd party partners
(Fintechs, Credit Bureaus, Payment Processors). Ensure their insecurities do not
become our breaches.
- Microservices Mesh: Define how our internal services trust each other. Move from
"Network Trust" to "Cryptographic Trust" using mTLS and Service-to-Service
authentication.
- Identity & Access Management (CIAM)
- Identity Strategy: Own the architecture for Customer Identity (CIAM). Design flows for
Biometric Binding, Adaptive MFA, and Step-Up Authentication for high-value
transactions.
- Token Lifecycle: Define the standards for OAuth 2.0 and OpenID Connect (OIDC).
Ensure we are using Financial-grade API (FAPI) standards for token issuance,
revocation, and storage.
- Secure Development Lifecycle (SDLC)
- Threat Modeling: Lead "Whiteboard Hacking" sessions with product owners. Identify
business logic flaws (e.g., race conditions in ledgers, bypassable KYC steps) before a
single line of code is written.
- Paved Roads: Work with DevOps to architect secure-by-default libraries. (Example:
Create a standard "Encryption Wrapper" library that all developers must use, so they
don't invent their own crypto).
- Data Privacy & Cryptography
- Data Defense: Define the architecture for Field-Level Encryption (FLE) in the
database for PII and Banking Secrets.
- Privacy Engineering: Architect systems that support "Right to be Forgotten"
(GDPR/CCPA) without breaking the immutability of the financial ledger.
Strategic Deliverables
- Identity Patterns: Deliver new security design patterns and components for
authentication, authorization, SSO, MFA, and Partner security to ensure seamless and
secure user access.
- Mobile & Edge: Deliver new security design patterns and components for Mobile
security, ensuring consistency between iOS, Android, and the backend.
- Modern Tech Stack: Deliver API, container, cloud, and AI security design patterns to
support the bank's move toward intelligent, cloud-native infrastructure.
What We Are Looking For
- The Background
- 8+ Years Experience: A mix of Software Engineering and Security Architecture.
- Ex-Developer: You must be able to read code (Java, Kotlin, React or Node.js, ).
- Banking/Fintech Experience: Strong preference for candidates who have secured
payment gateways, ledgers, or wallets.
- The Technical Skills
- API Security: Deep mastery of REST and GraphQL security.
- Auth Protocols: You can draw the OAuth 2.0 Authorization Code Flow with PKCE
from memory. You understand JWT signing and JWKS key rotation.
- Mobile Security: Understanding of how mobile apps store secrets
(KeyStore/Keychain) and how to prevent API abuse from emulators/bots.
- The Mindset
- Business Aligned: You understand that a bank exists to process transactions. You
design security that reduces risk without destroying the User Experience (UX).
- Pragmatic: You know when to demand a "Blocker" fix and when to accept a "Risk
Acceptance" waiver.