Application Security Engineer - Manchester Based (3 Days Hybrid)

About Finova 

Finova is the UK’s largest financial services technology provider, supporting one in every five mortgages nationwide. Our agile, cloud-native solutions enable over 60 banks, building societies, specialist lenders, equity release providers and a network of 2,400+ brokers to stay ahead in a competitive market.

Built on open architecture and backed by deep industry expertise, our platform is designed to scale. Each year, we process over £50 billion in loans, manage nearly £50 billion in savings, and support the digital servicing of more than 650,000 UK borrower accounts.

Be part of a team that’s driving innovation, enabling growth and shaping the future of UK lending.

For Lenders 

Finova offers a flexible, modular technology suite designed to help lenders move faster, scale efficiently and deliver standout digital experiences.

Financial Institutions use Finova to launch products faster, process applications up to 50% more efficiently and reduce operational costs — all while staying fully compliant in a fast-moving market. 

About the Role:

Finova is seeking a hands-on Application Security Engineer to embed security into the design, build, and shipment of software across a multi-cloud SaaS fintech platform.

• Core Responsibility: Partner closely with developers, the IAM Specialist, and the Cloud Security Engineer to ensure identity, infrastructure, and code are defended together.

• The Stack: Multi-cloud environment spanning AWS, Azure, and GCP. Applications run on .NET / ASP.NET with SQL Server backends.

• Key Challenge: Protect regulated financial data while defending a growing portfolio of AI-powered features against a new class of application risks (e.g., prompt injection, model abuse, and training data leakage).

• Work Model: A highly collaborative, hands-on hybrid role focused on making secure-by-default the path of least resistance for engineering teams.

About you:

• Experience: 4–6 years in application security, product security, or security-focused software engineering within regulated environments.

• Framework Expertise: Strong working knowledge of .NET / ASP.NET application security (Claims-based identity, ASP.NET Core authorization, data protection APIs).

• Security Models: Deep, practical familiarity with the OWASP Top 10, OWASP ASVS, and hands-on experience leading threat modelling sessions (STRIDE/attack trees).

• CI/CD Pipeline Skills: Experience integrating and tuning security tools (SAST, SCA, DAST) within Azure DevOps, GitHub Actions, or similar pipelines.

• Code Review: Confident reading and reviewing C# code to find authorization flaws, deserialization issues, or tenant isolation gaps during PRs.

• Core Fundamentals: Solid understanding of cryptographic primitives, API security at scale (OAuth 2.0 / OIDC, JWT pitfalls), and SaaS multi-tenancy data exposure risks.

• Consultative Delivery: Experience working as a delivery engineer or consultant, shipping security work into messy, deadline-driven customer environments.

• Communication: Clear communicator who can effectively coach a junior engineer, debate with a senior engineer, and explain critical risks to non-technical executives.

Nice-to-Have

• Fintech Background: Experience working in fintech, payments, banking, or insurance environments.

• AI Security: Hands-on experience securing AI/LLM features, prompt injection defense, and familiarity with OWASP LLM Top 10 or MITRE ATLAS.

• Offensive Security: An offensive security background (OSCP, OSWE, or equivalent) or experience with bug bounty program design.

• Certifications: CSSLP, GWAPT, GWEB, CISSP, or vendor-specific cloud security certifications.

• Database Security: Experience identifying SQL Server-specific application risks, including ORM misuse and stored procedure vulnerabilities.

• Community Contributions: Contributions to open-source security tooling, CVE research, or published security writing.

About You

You are a security champion who bridges the gap between deep technical code and fast-moving software delivery. You don't view security as a roadblock, but rather as an engineering discipline dedicated to making the secure path the easiest path for developers.

Key Attributes:

• The Collaborative Builder: You thrive in shared-accountability environments, working alongside infrastructure and identity specialists to build multi-layered defenses.

• Pragmatic and Ruthless: You believe in tuning tools to protect developer workflows from noise, ensuring that every alert is a high-signal, high-trust finding.

• Curious and Adaptive: You are energized by new technical frontiers, eagerly translating the emerging risks of AI endpoints and LLMs into practical engineering guardrails.

• Resilient Communicator: You are comfortable operating in the realities of regulated environments, translating complex vulnerabilities into business context for leadership while remaining a trusted peer to developers.

What will you be doing?

Secure SDLC & Shift-Left Automation

• Toolchain Ownership: Own the application security toolchain end-to-end (SAST, SCA, DAST, secrets, container, and IaC scanning) integrated into Azure DevOps and GitHub Actions.

• Scanner Optimization: Tune scanners ruthlessly to maximize high-signal findings and eliminate noise so engineers trust the alerts.

• Early Detection: Build and maintain pre-commit and pull-request security checks to catch issues before code is merged.

• Vulnerability Management: Drive CVSS-based SLAs, automated tracking, and exception workflows for application-layer issues across product teams.

• Coding Standards: Define and evolve secure coding standards for .NET / ASP.NET (input validation, cryptography, logging, and authorization patterns).

Threat Modelling & Secure Design

• Active Threat Modelling: Lead threat modelling sessions for new features using STRIDE or attack trees, turning outputs into tracked work items.

• Design Architecture: Review Architectural Decision Records (ADRs), API designs, and data flow diagrams before code gets written.

• Developer Pairing: Provide hands-on security guidance by pairing with developers on complex authorization logic, cryptographic choices, or tenant isolation.

• Pattern Catalogues: Maintain a living catalogue of approved secure patterns and anti-patterns so teams can build securely at speed.

Vulnerability Management & Penetration Testing

• Lifecycle Management: Own the remediation lifecycle for application findings discovered via internal testing, customer reports, bug bounties, and external pentests.

• Pentest Coordination: Scope and coordinate external penetration tests, select vendors, challenge false positives, and build remediation plans.

• Internal Testing: Conduct manual code reviews of high-risk areas, dynamic testing of new features, and adversarial reviews of authorization logic.

• Purple-Teaming: Build and run purple-team exercises against internal applications to test detection and response capabilities alongside Security Operations.

Application-Layer Authorization (in partnership with IAM)

• Access Validation: Partner with the IAM Specialist to ensure RBAC/ABAC implementations behave correctly, tenant context is mandatory, and defaults fail closed.

• ASP.NET Hardening: Review and harden authorization implementations (Claims, policies, attributes, custom middleware) and write unit/integration tests to prove isolation.

• Policy Design: Contribute to OPA / Rego policy design from the application side and integrate policy decision points into application code.

• Bug Hunting: Systematically hunt for high-stakes authorization bugs like IDOR, BOLA, broken access control, and mass assignment.

API & Service Security

• API Standards: Define and enforce standards for authentication (OAuth 2.0, mTLS), rate limiting, and schema validation across REST, GraphQL, and gRPC.

• Gateway Hardening: Partner with the Cloud Security Engineer to harden API gateway configurations, request validations, and JWT validation rules.

• Layer-7 Protections: Implement and monitor WAF rules, bot management, and anti-automation controls without disrupting legitimate customer integrations.

• Inventory Tracking: Maintain a clear inventory of internal and external APIs, their classifications, and their security postures.

AI & ML Application Security

• AI Risk Leadership: Lead security thinking for AI features, defending against prompt injection, jailbreaks, model DoS, and inference data leakage.

• Adversarial Testing: Design and run security testing for LLM-backed endpoints and feed findings back into prompt design and guardrails.

• Confused-Deputy Prevention: Collaborate with IAM to ensure AI endpoints cannot be weaponized to bypass direct access limitations.

• Data Pipeline Security: Define secure-use patterns for embeddings, vector databases, RAG pipelines, and feature stores to prevent tenant data leaks.

• Landscape Tracking: Translate evolving AI security frameworks (OWASP LLM Top 10, MITRE ATLAS) into practical engineering standards.

Compliance, Evidence & Engineering Enablement

• Automated Evidence: Ensure application security controls satisfy SOC 2 Type II and PCI-DSS requirements via automated pipeline collection.

• Audit Support: Support audits and customer assurance reviews by providing technical context and clear remediation narratives.

• Security Training: Run secure coding workshops, threat modelling enablement, and post-incident learning sessions for engineers.

• Incident Response: Contribute to incident response for application-security events through root-cause analysis and blameless post-mortems.

What We Offer:

• Hybrid working 🕰️
  Work in a hybrid way that suits you. Our model is primarily office-based, with flexibility to work remotely as needed. We’re committed to supporting a healthy balance between work and life.

• Private medical insurance 👩‍⚕️
  Comprehensive health cover, with the option to add your family to your plan, because your well-being matters to us.

• Life assurance & income protection 💰
  We provide life assurance and income protection to give you peace of mind for the future

• Family friendly policies 👶
  Our enhanced family-friendly policy goes beyond maternity and paternity leave, offering paid time off for when plans change or alternative paths to parenthood are needed.

• Work from anywhere 🌴
  Some thrive in the office, others at home — and many do best with choice. With approval, Finova employees can work abroad for up to 4 weeks each year.

• Flexible holiday package 🗓️
  Enjoy 25 days paid holiday allowance, plus all public holidays. And, you can rebook any public holidays for a day that aligns with your personal beliefs or celebration calendar. We also offer holiday trading allowing you to purchase or sell your holiday allowance.

• Company pension scheme 🏦
  With salary exchange, you save on tax and can build a secure future.

• Employee assistance programme 💞
  We understand that mental health is just as important as physical health. Access to a 24/7 confidential counselling helpline ensures you have support when you need it.

• Electric car scheme 🚗
  Get a brand-new electric vehicle with salary sacrifice as a benefit, paid for through your gross monthly pay, saving on Income Tax and National Insurance.

• Health cash plan 🏥
  Our Health Cash Plan empowers you to prioritise your wellbeing by providing effortless reimbursement for everyday healthcare costs, from dental and optical visits to physiotherapy.

• Gym discounts 🏋️
  Achieve your fitness goals for less with GymFlex, which offers significant savings on annual memberships at over 3,000 gyms and leisure centers nationwide.

• Perks that matter 🎁
  We fuel your day with a fully stocked pantry of fresh fruit and snacks and keep the team spirit high with weekly socials and events.

Equal Opportunity Statement

We value diversity and are committed to creating an inclusive environment for all employees. If you’re passionate about this role but don’t meet all the criteria, please reach out, we’d love to discuss how your skills and experiences align with our needs.