Application Security Engineer

Hello! We're Teya.Teya is a payment and software service provider, headquartered in London serving small, local businesses across Europe. Founded in 2019, we build easy to use, integrated tools that enable our members to accept payments and boost business performance.At Teya we believe small, local businesses are the lifeblood of our communities.We’re here because we don’t believe there’s a level playing field that gives small businesses with a fighting chance against the giants of the high street.We’re here because we see banks and legacy service providers making things harder for them. We don’t think the best technology or the best service should be reserved for those with the biggest headquarters.We’re here to fight for a future where small, local businesses can thrive, and to commit the same dedication they offer all of us.Become a part of our story.We’re looking for exceptional talent to join our mission. We offer a chance to create impact in a high-energy and connected culture, while benefiting from continuous learning opportunities, a supportive community which is proud to serve our mission, and comprehensive benefits.Your missionAt Teya, security is an enabler of fast, reliable product delivery. As a Senior Application Security Engineer, you’ll own and evolve how application security is designed, built, and operated across our products—ensuring banking-grade security without slowing teams down.You’ll lead the development of a pragmatic Secure SDLC for a high-velocity fintech environment, embedding security into everyday engineering workflows. Working closely with product, platform, and security partners, you’ll help shift AppSec from reactive controls to proactive, developer-first security that scales with the business.ResponsibilitiesDesign, implement, and continuously improve a Secure SDLC integrated from design through productionEmbed security into planning and delivery via threat modelling, security requirements, and automated controlsLead application security reviews for new systems, major features, and high-risk changes across web, API, mobile, and backend servicesDefine and maintain secure architecture patterns for authentication, authorisation, APIs, data protection, and multi-tenant isolationOwn the application security tooling stack (SAST, DAST, SCA), integrating it into CI/CD with high-signal, low-noise outputsPartner with engineers to triage and remediate vulnerabilities based on exploitability, impact, and regulatory riskWork with Security Operations to improve application-level logging, telemetry, and incident response readinessAct as a trusted advisor to engineering teams, raising the bar through practical guidance, documentation, and targeted trainingRequirements6+ years’ experience in application security, security engineering, or software engineering with a strong AppSec focusDemonstrated experience designing or operating Secure SDLC practices in fast-moving product teamsHands-on expertise in web and API security, including authentication, authorisation, data flows, and common vulnerability classesProven experience integrating SAST, DAST, and SCA into CI/CD pipelinesStrong threat modelling and secure design skills for complex, cloud-native systemsExperience with modern backend and frontend or mobile stacks (e.g. JVM, Node.js, Go, TypeScript)Familiarity with AWS and cloud-native architectures (IAM, KMS, containers, microservices)Clear, pragmatic communication skills and the ability to influence through partnership rather than mandateNice to have:Experience in fintech, payments, or other regulated environmentsFamiliarity with OWASP ASVS, OWASP Top 10, PCI DSS, DORA, or ISO 27001Exposure to mobile security, API gateways, WAFs, or infrastructure-as-codeSecurity or cloud certifications (e.g. OSWE, OSCP, CSSLP, CISSP, AWS Security)Ways of workingExtreme ownership: You take end-to-end responsibility for outcomes, not just findings or tooling outputPragmatic and delivery-aware: You balance risk reduction with product velocity, focusing on changes that materially reduce riskLow-ego and collaborative: You build trust with engineers, product, and operations teams, influencing through credibility and partnershipImpact-driven: You measure success through outcomes—risk reduction, adoption, and time-to-remediate—not activityData-informed: You use metrics and trends to guide priorities and demonstrate impactHigh bar for craft: You produce clear documentation, reusable patterns, and automation that scale across teamsAI-first mindset: You actively look for opportunities to use automation and AI to improve security outcomesThe PerksWe trust you, so we offer flexible working hours, as long it suits both you and your team;Health Insurance;Physical and mental health support through our partnership with MyFitness;25 days of Annual leave (+ Bank Holidays);Possibility to visit other Teya offices to meet colleagues in instances when travel is safe and appropriate;Friday lunch in the office;Friendly, comfort