• Sr. Application Security Engineer

    Req No.
    Regular Full-Time
    US-CA-San Carlos
  • Overview

    Oportun is a financial technology company founded in 2005. Our mission is to provide affordable loans to US Latinos and others with limited credit history so they can establish credit and build a better future. Oportun uses advanced data analytics and technology to “score” and lend money to individuals with limited credit history – people other lenders consider “unscorable.”  


    In recognition of Oportun’s goals of increasing economic opportunity for our clients, promoting community development, and serving low-income or underserved communities, Oportun was certified by the United States Department of Treasury as a Community Development Financial Institution or CDFI. 


    At Oportun, everything we do reflects our corporate values of Service, Care, Innovation, Courage, Excellence, and Empowerment.


    Oportun is a great place to work if you are as enthusiastic about helping others as you are about your own professional development and career. As our CEO Raul Vazquez says, “Earning a paycheck to support yourself and your family is critical. Satisfying career ambitions is rewarding. But there is no greater privilege than having a challenging job where you are growing and learning professionally, while having a strong positive impact on the lives of others… And that is what we do here every day.”


    Oportun is looking for a Sr Application Security Engineer to join our Product & Application Security Team. This experienced engineer will help to maintain and to improve our cutting-edge security program. The right candidate will be a balance between a technical expert and a person who can understand and support Oportun’s business priorities and risk appetite. This individual must operate with a high degree of autonomy, accountability and maturity.

    As a Sr. Application Security Engineer, you will

    • Improve secure coding practices, application security requirements, automation, training, and metrics
    • Integrate threat modeling practices into the Software Development Lifecycle
    • Attend engineering design and application architectural reviews and actively lead discussions from a security standpoint.
    • Help build secure products and standards around emerging technologies and using existing standards and security practices
    • Perform Security Architecture and Low-Level Application Security Design review involving: Data Protection, Authentication and Authorizations, Web Application Security, Mobile Security and Network Security
    • Collaborate with product development and product management teams proactively to manage software security risk aligned with business goals
    • Collaborate with product and solution teams to achieve Cybersecurity software security program objectives
    • Manage cross-functional internal and external team collaboration, evangelization, and communications
    • Develop and optimize processes to improve software development efficiency in the consumption of security development practices
    • Maintain active understanding of industry practices for secure software development and incident response
    • Help manage vulnerability management program
    • Work with Security and Engineering teams on:
      • Evaluation of new security trends and technologies
      • Assessment and acquisition of application security tools and technologies
      • Vulnerability/pen testing assessment and remediation workflows
      • Audit compliance reporting
      • Incident response workflows
      • Participate as a subject matter expert in the incident response process


    • 6+ years of Experience in Web & Mobile Application Security, SSDLC and Threat Modelling (web and mobile applications)
    • Hands on experience with Java, C#, JavaScript and HTML, Experience in building enterprise web applications is required
    • Python and/or PowerShell scripting knowledge required. API integration experience is a significant bonus.
    • Extensive private and public cloud experience (AWS preferred, but Azure or Google Cloud, etc., acceptable).
    • A strong understanding of security design and architecture
    • MUST have deep understanding of OWASP Top 10 and CWE 25; with proven track record and experience in implementing and integrating remediation strategies
    • Excellent understanding of web applications, mobile applications, layer 7 application technologies, frameworks and protocols with respect to application development and deployment
    • Well versed in web & mobile application security design, penetration testing, application risk assessment and risk categorization
    • Experience with usage and customization of commercial static and dynamic analysis tools, such as Fortify, Coverity, Checkmarx, WebInspect, Accunetix, Burp, Kali and Veracode.
    • Ability to develop solutions for moderately-complex to highly-complex problems.
    • Success in implementing effective Secure SDLC frameworks across a large corporation.
    • Proficient at problem identification, research and resolution
    • Ability to effectively manage time between projects and daily operational tasks.
    • Excellent written and oral communication skills; highly motivated and willing to do what it takes to get the job done.
    • Strong communication skills, both written and verbal.  Good presentation skills and the ability to work well under pressure.


    Preferred Skills/Experience:

    • Applicable certifications strongly preferred
    • Bachelor’s degree in Computer Science, Information Technology or similar field, or equivalent experience.



    We offer competitive salaries, bonuses, stock options, great benefits and a fully- loaded laptop of your choosing.  We have strong opinions about work/life balance, and seek to create a comfortable and productive environment where we can ship apps that we’re proud of and that best serve our customers.





    Sorry the Share function is not working properly at this moment. Please refresh the page and try again later.
    Share on your newsfeed