Product Security Engineer

To elevate Ajaib’s security posture to global financial standards by building a high-velocity "Paved Road". You will move away from being a "siloed" security auditor to becoming an enabler who builds the automated infrastructure that makes the secure path the easiest path for developers.

Responsibilities

1. Building the "Paved Road" (Platform Layer)

• Continuous Scanning: Integrate SAST, DAST, and SCA (Software Composition Analysis) into CI/CD pipelines (GitHub Actions) to provide instant feedback to developers.
• Security-as-Code: Automate security gates in the deployment pipeline to block high/critical severity findings from reaching production.
• Tooling Ownership: Manage and maximize the value of the current security stack, including SonarQube, Cloudflare [WAF] and Cloud Automation .
• Infrastructure-as-Code (IaC): Build IaC guardrails with automated drift detection to ensure cloud infrastructure (GCP/AWS) remains resilient.

2. Delivery & Cultural Leadership

• Security Champions: Identify and support embedded Security Champions in every squad, ensuring threat modeling occurs during the design phase rather than right before launch.
• Vulnerability Management: Transition from manual tracking to a prioritized Jira backlog, partnering with developers to verify root causes and remediation.
• Security Culture: Run developer awareness sessions and secure code workshops to foster a "you build it, you run it, you secure it" mindset.

3. Fintech & API Security

• API Assessment: Test payment APIs, transaction flows, and KYC/AML pipelines for fintech-specific attack vectors like BOLA (Broken Object Level Authorization) and mass assignment.
• Compliance Support: Ensure technical execution meets Governance Layer standards for Zero Trust and corporate identity anchoring.

Requirements

• AppSec Fundamentals: Deep understanding of OWASP Top 10, CWE, and secure SDLC principles.
• Automated Tooling: Proficiency in SAST/DAST/SCA tools such as Semgrep, Snyk, Burp Suite Professional, and SonarQube.
• Cloud & CI/CD: Practical experience with GCP/AWS IAM, secrets management, and embedding security into GitHub Actions.
• Threat Modeling: Ability to conduct threat models using STRIDE or PASTA during the design phase.
• Scripting: Proficiency in Python or Bash for scan automation and custom security checks.
• Identity & Access: Experience with JumpCloud or Google Workspace for identity anchoring and automated lifecycle management.
• Crypto Exposure: Understanding of wallet security, smart contract audit basics, or DeFi risk awareness.
• Fintech Security: Awareness of PCI-DSS standards and payment gateway security.

Benefits

Join us as we make magic happen to increase Indonesia’s financial inclusion!