Software Engineer - Security
Modern Treasury · San Francisco, CA · 1 mo ago
On-siteEngineering$170k–$240k/yrFull-time
About the role
This role focuses on application, product, and infrastructure security, and sits at the intersection of security, platform, payments engineering, and infrastructure. You’ll shape how Modern Treasury manages risk at scale and design the systems that make programmatic, compliant money movement possible. We are looking for someone who can influence security strategy, drive DevSecOps automation and contribute to architectural design.
Responsibilities
- Lead application security across our payment platform, including secure code review, threat modeling, and security architecture for new products
- Own product security for new payment rails, including FBO account structures, stablecoin integration, and enhanced compliance features
- Design and implement DevSecOps tooling and automation to improve security posture across CI/CD and infrastructure
- Partner with engineering teams to embed security into the development lifecycle through automation, secure design patterns, and security champions
- Drive security architecture decisions for customer-facing APIs, authentication systems, and data protection controls
- Build monitoring and detection capabilities for application-layer threats, API abuse, and fraud patterns
- Design infrastructure monitoring, automation, and remediation practices that keep our systems resilient and trustworthy
- Compliance on the ownership and operation of SOC 2 controls, ensuring the systems you build map cleanly to control requirements and produce the evidence those controls depend on
- Serve as the technical owner for the security controls and automated tests that evidence the systems you build in our GRC platform (Vanta), partnering with engineering teams to keep them accurate and audit-ready as part of our SOC 2, SOC 1, and PCI DSS programs
- Coordinate with our independent external penetration testing provider to scope, schedule, and run the testing that satisfies our SOC 1, SOC 2, and PCI DSS requirements, and drive remediation of findings to closure
- Own vulnerability management across our applications and infrastructure, triaging and prioritizing findings, partnering with engineering on remediation, and tracking closure within the timelines our policies and compliance programs require
- Help design and operate encryption and key management practices across our platform, including key lifecycle and rotation, in line with our data protection controls and compliance requirements
- Partner with Workplace Technology to evaluate and secure the deployment of enterprise integrations, AI capabilities (including MCP), and third-party tools
- Influence technical strategy across Product, Platform, and Infrastructure teams on security and risk management
Requirements
- 6+ years in security engineering, with 3+ years focused on application and product security
- Strong experience with: Full-stack application security (frontend, backend, APIs)
- Authentication and authorization systems and identity management
- Infrastructure automation related to security (AWS, Docker, CI/CD pipelines)
- Fraud detection, prevention, and abuse mitigation in payment or financial products
- Secure SDLC practices and developer security tooling
- Experience with incident response and security monitoring
- Knowledge and experience with application security for Ruby on Rails, GraphQL, JavaScript, React, and containerized environments
- Payments engineering experience, ideally including fraud prevention and risk controls in money movement systems
What sets you apart
- 2+ years in payments or fintech, with a deep understanding of money movement security challenges
- Familiarity with compliance and regulatory standards for money movement, such as PCI DSS, BSA/AML, and KYC/KYB
- Experience with payment processing security across ACH, wires, card networks, and emerging rails
- Experience building controls for fraud detection, chargeback prevention, and abuse mitigation in payment systems
- Experience integrating security into DevOps workflows (e.g., Buildkite, IaC, AWS security automation)
- Experience with stablecoin security, blockchain integrations, or crypto payment rails
- Track record of balancing pragmatic risk management with business velocity
- Demonstrated ability to lead security initiatives across multiple teams without direct authority
Technologies we use
- Ruby on Rails for our backend framework
- React, GraphQL, and Tailwind CSS on the front end
- Postgres for our database
- AWS for infrastructure and hosting
- Docker for containerization
- Buildkite for continuous integration
- RegTech and anti-fraud platforms
- Vanta for compliance automation and continuous control monitoring