About Fintech Farm We are a UK fintech creating successful neobanks in emerging markets in partnerships with local traditional banks. The mission is to make banking services accessible, simple and fun to use worldwide and the goal is to launch neobanks in 50+ markets, serving 100m+ customers.
Our success builds upon a best-in-class product, customer experience, emotional engagement, viral marketing and deep credit-decisioning expertise across our product suite covering credit, payments, savings and investments. One of our founders also previously co-founded a highly successful Eastern European neobank with a multi-million customer base.
We launched our first market with Leobank in Azerbaijan in 2021, where we’ve already taken a leading market position. Our next market was Vietnam, where we launched Liobank in early 2023 and have also reached strong traction. We have several more markets on the roadmap in the next 12 months and are starting to build out teams there. Why Fintech Farm is a Great Place to BeOur Ambition We are looking to become a leading consumer digital bank brand in each market we operate, making it easy for consumers to interact with their money. You could be a part of this exciting journey. Our CultureCustomers We always go above and beyond to provide an amazing customer experience. We serve our customers the way we would want our mom to be served. And who said that banking has to be boring? We make our apps not just easy but fun to use. People We are all business partners in our company. Each of us thinks big, acts as if we own the place and never takes “no” for an answer. We work with strong individuals whom we empower and trust rather than micromanage. Common sense rather than formal policies prevails in all that we do. We always stay curious and open-minded. About the Role Join our security team as a hands-on AppSec/DevSecOps engineer in a regulated fintech environment. You’ll work closely with DevOps and engineering to scale application security across an established payment platform — aligned with PCI DSS, PCI SSF, and ISO 27001.
This is a high-ownership role. You’ll be a trusted security partner who turns risk into clear engineering decisions and raises the bar across the SDLC.
How we work:
We’re an AI-forward team. We expect engineers to lean on AI tools (Claude, MCP-driven / agent-centric workflows) to move faster, automating triage, accelerating code reviews, and scaling what one person can realistically cover. We measure outcomes, not hours. What You’ll OwnVulnerability Management * Drive the full vulnerability lifecycle: intake, triage, prioritization (CVSS + business context), remediation, and validation * Systematize findings from pentests and QSA assessments; coordinate fixes with engineering * Maintain the vulnerability register and report regularly to stakeholders
Security Tooling & CI/CD * Integrate and tune SAST, DAST, SCA, secrets detection, and container scanning with DevOps * Define and enforce security gates in CI/CD (pass/fail criteria, break-build policies) * Evaluate new tooling and make the case for adoption
Pre-Release Security Gates * Define formal release acceptance criteria: policies on Critical/High vulns, scan coverage, sign-off * Embed gates into the release process; track exceptions and waivers formally * Contribute SSLC artifacts required under PCI SSF
Application Security Engineering * Threat modeling during design and architecture reviews * Secure code reviews and security-focused design consultations * OWASP ASVS assessments; track maturity via OWASP SAMM * Mobile security testing with OWASP MASVS (iOS + Android) * Support external pentests: scoping, briefing, report review, fix validation
Compliance Support * Provide AppSec/DevSecOps evidence for PCI DSS, PCI SSF SSLC, and ISO 27001 * Partner with the GRC hire on technical evidence and control validation
Secure SDLC & Culture * Maintain secure coding guidelines and a security requirements library * Grow our Security Champions network within dev teams
Metrics & Reporting * Own AppSec KPIs: MTTR by severity, pipeline scan coverage, open/closed findings, pentest and bug bounty trends * Build dashboards and automate collection wherever possible * Regular status reports to the Head of IS and CISO
What We’re Looking For * 2+ years in AppSec, Product Security, or a security-focused engineering role * Solid grasp of OWASP Top 10 (Web + API), ASVS, and common vulnerability classes * Hands-on with SAST/DAST tools (Semgrep, Checkmarx, SonarQube, Burp, ZAP) integrated into CI/CD * Experience with SCA (Snyk, Dependabot, Dependency-Check) and secrets scanning (GitLeaks, TruffleHog) * Vulnerability backlog management: triage, prioritization, communication, validation * Familiarity with at least one AppSec-relevant framework * Clear writer: findings, reports, and metrics that land with both engineers and leadership * AI-fluent. You already use AI tools in your daily workflow and instinctively look for what to automate
Nice to Have * Container/Kubernetes security (image scanning, runtime, pod security policies) * Cloud security (AWS/GCP/Azure IAM, cloud-native tooling) * Threat modeling tools (Threat Dragon, IriusRisk) * Mobile security: OWASP MASVS, iOS/Android pentest techniques * Security Champions program experience * Software engineering or QA background * OWASP SAMM assessments * SBOM generation and management * Bug bounty operations * Automation scripting (Python, Bash) * AppSec dashboards/metrics pipelines (Jira, Grafana, DefectDojo)
