This role is about building security into those APIs, not reviewing them after the fact.
We are looking for a hands-on security engineer who codes, understands how attackers break APIs, and uses that mindset to build real, production security controls.
Not SOC
Not compliance
Not pentest-only
Builder with a breaker mindset
Job Responsibilities:
- Build and ship API security controls used by product teams (authZ checks, validation, abuse prevention).
- Defend against business logic attacks (BOLA/IDOR, mass assignment, workflow abuse).
- Design and validate OAuth2, OIDC, JWT** implementations across internal & external APIs.
- Build **automated attack simulations to test the controls you deploy.
- Harden and secure API gateways (Kong / Azure API Gateway).
- Define security patterns for partner integrations & Open Banking APIs.
What We’re Looking For:
- Bachelors Degree in Computer Science or equivalent field.
- Strong software engineering background (you write production-quality code).
- Hands-on Application / API Security experience.
- Deep understanding of REST & GraphQL security.
- Solid knowledge of OAuth 2.0, OpenID Connect (OIDC), JWT.
- Comfortable with Python for automation and security tooling.
- Experience with tools like Postman, Burp Suite, 42Crunch (or similar).
Why This Role:
- Protect real financial transactions at digital bank scale.
- Build security once and have it used everywhere.
- Work closely with platform & product engineering teams.
- High ownership, real impact, real attackers in mind.
Good Fit If You Are:
- A security engineer who codes daily.
- A builder curious about how systems break.
- Someone who prefers ownership over reports.