Security Engineer

About Us

Founded in 2014, we offer the industry’s first and only cloud-based, fully-customizable, end-to-end software solution to automate securities-based lending from origination through the life of the loan. By combining thought leadership in suitability and risk management with industry-leading education and the latest technology, Supernova enables advisors to deliver holistic, goals-based advice and to help their clients achieve financial wellness. We partner with the industry’s largest banks, most prominent insurance companies and leading online brokerages to democratize access to securities-based lending and better the entire financial ecosystem.

At Supernova Technology, we believe that the best results come from a team that is passionate, driven, and supported in all aspects of their professional lives. Here, you’ll work alongside talented and innovative individuals who are committed to driving the future of securities-based lending technology. We foster a culture of collaboration, continuous learning, and growth, where each person’s contributions make a real impact.

We are seeking a highly motivated and detail-oriented Security Engineer to help secure our securities-backed lending SaaS platform. The successful candidate will focus primarily on application security, secure SDLC, and application vulnerability management, while also assisting with the execution and implementation of broader information security initiatives. You’ll partner with engineering, SRE/Dev Ops, and business teams to embed security into our build and delivery processes, support risk reduction across cloud and endpoint surfaces, and drive measurable remediation outcomes in a regulated financial-services environment.

• Perform hands-on web/API penetration tests, validate scanner findings, and provide clear PoCs, impact statements, and prioritized remediation aligned with OWASP.
• Integrate and tune SAST, DAST, SCA, container, and secret‑detection tools in CI/CD; define pass/fail gates and PR checklists.
• Conduct lightweight threat modeling and security design reviews for new features such as authentication, session management, and secrets handling.
• Manage the full application vulnerability lifecycle (discover → prioritize → fix → retest → close) with SLAs and metrics.
• Assist in hardening AWS and ECS/Docker workloads (IAM roles, network segmentation, image policies, logging/monitoring) and support patch hygiene across cloud, container, and endpoints.
• Participate in incident response, including exploit reproduction, log analysis, impact assessment, and lessons learned.
• Provide evidence for audits (ISO 27001, SOC 2, NIST SSDF), maintain policies and developer guidance, and support vendor/security evaluations.
• Translate findings into developer‑ready tickets, publish secure‑coding guidance, and partner with engineering to streamline secure delivery.
• Prototype automation, explore AI/LLM‑assisted workflows to improve triage and code review, and share improvements across teams.
• Contribute to organization-wide cybersecurity training and awareness efforts.

• Bachelor's degree in security engineering, information assurance, or related field.
• 2–3 years of experience in security or software engineering (internships, labs, or open‑source count), preferably in regulated industries.
• Strong knowledge of web/API security issues (auth, session management, injections, SSRF, CSRF, access control) and common cloud/web misconfigurations.
• Experience with SDLC security tools (SAST/DAST/SCA/secret detection/container scanning), CI/CD workflows, and Git.
• Scripting or coding skills (Python or JavaScript/Type Script) and ability to read backend code.
• Familiarity with AWS security basics (IAM least privilege, KMS, logging/monitoring, security groups) and Docker/ECS runtime considerations.
• Clear communication skills with the ability to translate risk into actionable remediation.
• Experience using AI/LLM‑assisted tools for triage, documentation, or code review preferred.
• Exposure to WAF/CDN tuning, API protection, and risk‑based remediation SLAs/metrics preferred.
• Familiarity with frameworks like OWASP ASVS/SAMM,…