Senior Application Security Engineer

About the role

Pennylane is one of the fastest growing Fintechs in France (and soon to be in Europe!) In 5 years of existence, we've managed to : 💻 Make ourselves known as a groundbreaking accounting and financial software for small businesses and their accountants 💰 Raise a total of €359 millions, including from Sequoia, the famous fund from the Silicon Valley who invested early in companies like Google, Facebook, Airbnb, Stripe, Paypal and much more... 👨👩👧👦 Grow from 7 cofounders to 1000 happy Pennylaners : we're now recognized as one of the greatest places to work in France (and also remotely), with a 4.6/5 rating on Glassdoor . 🌍 Build an international environment with more than 25 nationalities, with a strong remote-friendly culture, where 30% of the employees are already working from all parts of Europe 🤝 Earn the trust of thousands of customers and accounting firms and obtain outstanding ratings 🚀 Already more than 1 000,000 small and medium-sized enterprises (SMEs) and over 6000 accounting firms use Pennylane in France! 👪 Team and environment As we keep on growing (+500 people joined Pennylane in 2025!), we're seeking an Application Security Engineer to join Louis's team of 5. You'll handle all technical security matters, support ISO 27001 compliance, and advise employees-especially developers-on security best practices. The technical security team manages security issues from detection to resolution, collaborating with developers and Security Champions when needed. 🎯 Your tasks Security by design : ensure the security of Pennylane's application and infrastructure Engage with Product Team to integrate security in our features from from the beginning, from design to delivery Ensure the security of the main Web application written in Ruby on Rails and ReactJS: its dependencies, its code, its infrastructure and its configuration Conducting code reviews from a secure development point of view (about 80 releases per day). Detect vulnerability and propose associated patches Raise the security level of our CI/CD configuration With the DevOps team, secure our AWS infrastructure, including its Kubernetes environment (AWS EKS) Vulnerability Management Conduct and perform regular security assessments (internally or by an external consulting companies) on the applications (code reviews/pentests/bug bounty in particular) and the infrastructure Strengthen the current means of detecting malicious attempts Be involved in all security incidents, investigate logs, block attacks, and propose corrective measures to prevent future threats. Compliance & awareness Ensure compliance with ISO 27001 controls (processes) related to development (mandatory code practices, validation, patch management, vulnerability management, etc.) by training developers, monitoring projects (tech, product), conducting regular internal audits and managing tech non-conformities Build/Improve secure development training materials and conduct regular training sessions with the developers. Engaging them in our Security Champions program Improve the security awareness through the company Contribute to tenders to explain our security policies and provide the necessary technical details These missions are not exhaustive and remain evolving. 🥇You're the right candidate if You ideally have the following skills/experience: Able to perform offensive security assessments on an infrastructure and an application You know how to exploit and fix a wide range of Web vulnerabilities and are able to explain them to non-technical person (not just the OWASP top 10) You already have an experience in a programming language (Ruby, Python, JavaScript), either for quick and dirty scripting to exploit a vulnerability or for larger projects You have an experience in cloud infrastructure security You are able to popularize technical terms to facilitate the adoption of security measures within projects or to broadcast messages to Pennylaners You are fluent in French and/or English (both oral and written) Your soft skills : You are humble You are a team player, and working with remote colleagues is not an issue for you You are proactive and organized You are a quick learner, and you like to work on different projects (application security, cloud infrastructure, training, ISO 27001...) 💬 What does the recruitment process look like ? You will first have a