Application Security Engineer (AppSec)

About Zenus

 Zenus’ mission is to facilitate banking beyond borders. Operating in over 150 countries, we enable people and businesses to open a US bank account online, without the need to be a US citizen, resident, or a company registered in the US — opening up the security, stability and freedom of US banking to the world. As a signatory of the UN’s Principles for Responsible Banking, we are committed to making finance fair.

Our state-of-the-art technology, exclusive partnerships and proprietary processes are now being made available via our embedded banking services to enable other businesses to create new financial service experiences for their customers.

Headquartered in San Juan, Puerto Rico, we have a diverse and inclusive team.

About the role

The Application Security Engineer (AppSec) is responsible for ensuring the security of applications, APIs, and software components throughout the software development lifecycle.
Operating within the SecOps domain and reporting to the Information Security Officer (ISO), the AppSec role focuses on secure design, code-level security, vulnerability identification, and controlled offensive testing, ensuring that applications meet organizational security standards before and after deployment.

This role owns what is built securely, not cloud platform configuration or CI/CD automation.

This position is hybrid, requiring on-site presence with a schedule of:

• 3 days on-site
• 2 days remote

Responsibilities & duties:

• Perform application security testing, including SAST, SCA, and DAST analysis.
• Execute internal manual penetration testing of applications and APIs on a quarterly basis, within approved scope.
• Conduct threat modeling for new applications and significant changes.
• Identify, analyze, and document application-level vulnerabilities and security weaknesses.
• Work directly with development teams to support secure remediation and secure coding practices.
• Define and maintain secure coding standards aligned with OWASP Top 10 and OWASP API Top 10.
• Validate that security findings are properly remediated before release.
• Maintain vulnerability tracking and reporting in Archer or approved systems.
• Support ISO during audits and security assessments by providing application security evidence.

What you need for this role:

• 3+ years of experience in application security, secure software development, or ethical hacking.
• Strong knowledge of secure coding principles and common application vulnerabilities.
• Hands-on experience with SAST, DAST, and SCA tools.
• Experience performing manual application and API penetration testing.
• Familiarity with REST APIs, authentication mechanisms, and authorization models.
• Understanding of CI/CD pipelines from a security testing perspective.
• Strong documentation and vulnerability reporting skills.