Lead Application Security Engineer — Remote (Europe)

Application Security Engineer

Join Pennylane’s team of 5 as an Application Security Engineer. You will handle all technical security matters, support ISO 27001 compliance, and advise employees—especially developers—on security best practices.

Your Tasks

• Engage with the Product Team to integrate security from design to delivery.
• Ensure the security of the main Web application written in Ruby on Rails and ReactJS: its dependencies, code, infrastructure, and configuration.
• Conduct code reviews from a secure development point of view (about 80 releases per day).
• Detect vulnerabilities and propose associated patches.
• Raise the security level of our CI/CD configuration.
• With the DevOps team, secure our AWS infrastructure, including its Kubernetes environment (AWS EKS).

Vulnerability Management

• Conduct regular security assessments (internally or with external consulting companies) on applications (code reviews, pentests, bug bounty) and infrastructure.
• Strengthen current means of detecting malicious attempts.
• Be involved in all security incidents: investigate logs, block attacks, and propose corrective measures to prevent future threats.

Compliance & Awareness

• Ensure compliance with ISO 27001 controls related to development (mandatory code practices, validation, patch management, vulnerability management, etc.) by training developers, monitoring projects, conducting internal audits, and managing technical non‑conformities.
• Build/Improve secure development training materials and conduct regular training sessions with developers. Engage them in our Security Champions program.
• Improve security awareness throughout the company.
• Contribute to tenders by explaining our security policies and providing necessary technical details.

Qualifications

• Able to perform offensive security assessments on infrastructure and applications.
• Know how to exploit and fix a wide range of Web vulnerabilities and can explain them to non‑technical people.
• Experience in a programming language (Ruby, Python, JavaScript) for scripting or larger projects.
• Experience in cloud infrastructure security.
• Ability to popularize technical terms to facilitate adoption of security measures within projects.
• Fluent in French and/or English (oral and written).

Soft Skills

• Humble.
• Team player, comfortable working with remote colleagues.
• Proactive and organized.
• Quick learner, enjoys working on diverse projects (application security, cloud infrastructure, training, ISO 27001).

Benefits

• 25 vacation days paid by Pennylane.
• Competitive compensation package.
• Company shares.
• Budget to improve home workspace; monthly allowance to work from coworking space.
• Access to partner gym network with many fitness spaces in Europe and wellness activities.
• Latest Apple equipment.
• Remote work allowed from any European country within two hours of CET time zone.
• Regular company events such as Tech Days and annual seminar.
• For employees based in France: French contract, 6–12 RTT, 5 weeks PTO, lunch credits, healthcare cover, and events in Lyon, Bordeaux, Nantes.

We also want to emphasize that we fully embrace diversity, equity and inclusion and that we’re doing our best to create a safe and inclusive environment. We are committed to providing an equal employment opportunity regardless of gender, sexual orientation, origin, disabilities, or any other traits that make you who you are. If anything, diversity makes us a more fun place to work at.