Senior Application Security Engineer

Senior Application Security Engineer

About Us

Branch is on a mission to empower workers with financial freedom. We do this by helping companies accelerate payments and providing working Americans with accessible, free financial services. We’re committed to building and delivering more inclusive, transparent, and frictionless financial products. Our goal of empowerment extends to our own employees, too. Have a great idea? Share it today and it might just get implemented tomorrow. As a member of our team, your voice and creativity matter—and they can directly impact our products, company, and culture. We not only focus on attracting great talent from across the country, but also on building teams that help that talent thrive. That means valuing a diversity of opinions and working styles, while creating a shared belief in innovation, initiative, and winning together. Come join our team as we develop new ways to improve the lives of working Americans.

About the Role

Branch is seeking an experienced Security professional to join our team. This position will work in all aspects of security, so broad security knowledge is preferred. The ideal candidate will have a background in securing applications, networks, cloud environments, and corporate devices. Responsibilities include, but are not limited to:

• Embed security into the SDLC by partnering with Engineering to implement secure design patterns, conduct threat modeling, and deliver developer-focused AppSec training
• Lead and perform application security assessments including SAST, DAST, SCA, and manual code review across web, mobile, and API surfaces
• Drive API security across internal and external services — including authentication, authorization, rate limiting, and abuse prevention controls
• Own and mature the vulnerability management program, including prioritization frameworks, SLA tracking, and cross-functional remediation coordination
• Champion software supply chain security initiatives, including SBOM generation, dependency risk analysis, and third-party component vetting
• Assist GRC with technical third-party risk reviews and vendor security assessments
• Respond to and lead security incidents in a measured, programmatic, and timely manner — from identification through post-incident review
• Implement and iterate on security automation and orchestration to improve detection, response, and coverage at scale
• Implement, monitor, and continuously improve security controls across cloud infrastructure, endpoints, and the product
• Assess and mitigate AI