Senior Security Application Engineer



Other Engineering
Multiple locations
Posted on Tuesday, February 7, 2023

Here at Pleo, we're onboarding new customers with Sonic.gif speed, which is amazing don't get me wrong, but the larger we become, the bigger the temptation from cyber criminals. As you may already know, we are in the FinTech business, and we handle money for our customers. So this is not just about protecting a company from a password leak that allows malicious actors to post not-funny cat videos to your SoMe account - this is about directly protecting our customers' money. Well, this is where you (hopefully) come in!

This role focuses solely on the application security side. We are talking about both the security side of our application and ensuring our internal dev practices improve our product security maturity. What we're looking for is someone to be part of owning all of this - and to bring the overview and abstraction level when it comes to addressing the topic of application security itself. Our ideal candidate is an AppSec specialist aiming to grow and own the domain.

To give you a better idea, here are some tasks you might do as an Application Security Engineer at Pleo.

  • Work within our engineering teams by designing/reviewing technical solutions to address security weaknesses
  • Deep dive into various security subjects related to authentication, encryption and partner integrations
  • Reviewing and understand issues in code, from our managed bug bounty program and providing guidance to developers on how to fix them
  • Provide technical expertise to the GRC and DevOps team in developing and maintaining security automation in the continuous integration/continuous development (CI/CD) pipeline

Just to make it absolutely clear, we're not building a generalist security team to take over all security-related tasks. We're building a team of specialists to support other teams through paved paths, investigations, and coaching.

There will be a lot of flexibility in this role depending on your interests and skills, but as a Staff/Senior you will most likely:

  • Help plan, prioritize, and manage our Application Security roadmap.
  • Nurtur and execute projects supporting a long term security vision.
  • Continuously think about how we balance automation in controls and process against our defined data classifications while providing access and meeting the needs of the company.

We'd expect that you are highly skilled in certain areas ideally code review and dynamic testing and not in the whole security-verse. The most important is that you have a passion for the field, you are willing to expand your knowledge, and that you enjoy the responsibilities that come along with such a role.

Your profile

  • You recognize that communication is a core part of your job within application security
  • You are pragmatic in your approach to security - and apply the goldilocks principle. You understand that risk drives effort, effort drives cost, not the other way around.
  • You agree security isn't sorcery but is a matter of understanding complex systems and applying/recycling creative thinking to interesting problems.
  • You love learning new things and enjoy working with problem areas you aren't an expert in (yet).
  • You are honest and unafraid to state things exactly like they are - acknowledging and communicating what's broken is the first step to fixing things.

The nitty gritty skills

  • Able to work well with software development teams.
  • You are comfortable with server-side languages (we mostly use Kotlin and TypeScript but we know you can learn new languages)
  • You have experience identifying security issues through code review.
  • You have strong understanding and experience with common security libraries, security controls, and common security flaws.
  • You are known to be a subject matter expert (SME) in at least one technical area impacting the application security of products.

Nice to have skills

  • Java or Kotlin proficiency and experience with securing applications running on JVM.
  • Experience with PCI DSS, GDPR, or PSD2 requirements such as proper network segmentation and authorization mechanism. Maintaining compliance for financial applications like Pleo requires living up to a variety of formal security requirements and completing audits and certifications from time to time.


We don't really care about certificates, degrees, and all that jazz. However, we won't penalize you for talking about your super relevant degree in information security computer science or showing off your brand new certificate. We also don't need you to have x years of experience in information security, but would of course love for you to tell us about any experience that you think is relevant for the job.

Show me the benefits!

  • Your own Pleo card (no more out-of-pocket spending!)
  • Lunch is on us - whether you are working remote or at one of our offices 🍜
  • Private Health Insurance to ensure you’re fit of body and mind to do your best work
  • Flexible work: working from home when you want, where you want, why you want to (we trust you)
  • Trips abroad for team camps. This year we went to Croatia - we'd love to see you at the next one!
  • 25 days of holiday per year + your local public holidays
  • Paid parental leave - we want to make sure that we're supportive of families and help you feel that you don't have to compromise your family due to work 👶🏻
  • €2500 annual Flex Benefits budget (maybe you want to buy additional holidays, pay for the gym, book a professional coach or pay part of your MBA - completely up to you!). We know everybody prioritizes different benefits. So, our Flex Benefits package lets you choose what best suits you. Ask us about what we offer, we’ll be happy to outline more!

Why join us?

Working at Pleo means you're working on something very exciting: the future of work. Through fintech we've seen a way to impact how people work; we think company spending should be delegated to all employees and teams, that it should be as automated as possible, and that it should drive a culture of responsible spending. Based on some pretty amazing Series C-round investment in 2021 we think we're onto something big.

So, in a nutshell, that's Pleo. Today we are a 800+ team, from over 100 nations, sitting in our Copenhagen HQ, London, Stockholm, Berlin, Madrid, Montreal, or Lisbon offices —and quite a few full-time remotes in 35 other countries! Being HQ'd out of Copenhagen means we're inspired by sensible things like a good work-life balance. If you don't work in the office with us we'll help you get up the best remote setup possible and will fly you in for our amazing team camps ✈️

About your application

  • Please submit your application in English; it’s our company language so you’ll be speaking lots of it if you join 💕
  • We treat all candidates equally: If you are interested please apply through our application system - any correspondence should come from there! Our lovely support isn't able to pass on any calls/ emails our way - and this makes sure that the candidate experience is smooth and fair to everyone 😊
  • We’re on a mission to make everyone feel valued at work. That’s only achievable if our team reflects the diversity of the world around us - and that starts with you, hitting apply, even if you are worried you might not tick all the boxes! We embrace and encourage people from all backgrounds to apply - regardless of race/ethnicity, colour, religion, nationality, gender, sex, sexual orientation, age, marital status, disability, neurodiversity, socio-economic status, culture or beliefs.
  • When you submit an application we process your personal data as a data processor. Find out more about how your data is used in the FAQs section at the bottom of our jobs page.