Skip to content

Application Security Engineer

  • On-site, Remote, Hybrid
    • Prague, Praha, Hlavní město, Czechia
  • Engineering

Job description

Confirmo is a global stablecoin-first payment platform trusted by market leaders. Originally founded in Prague in 2014, we now run one of the most established infrastructures in the industry. In 2025, Confirmo Limited - part of the Confirmo Group - received authorization under the EU Markets in Crypto-Assets (MiCA) framework from the Central Bank of Ireland.

Now we are looking to grow our security team by Application Security Engineer. This is not a typical "sit back and monitor the dashboard" security role. At Confirmo, we build a leading stablecoin payment platform, and security is not just a department, it is part of our DNA.

Overview:

The ideal candidate started their career as a software developer, someone who has spent years writing production code and understands first-hand how applications are architected, built, and shipped. Over time, they gravitated toward security, bringing with them a developer's intuition for how things break and how codebases really work.

The vast majority of your time will be spent working directly with our engineering teams: participating in feature design from day one, reviewing code for security flaws, hardening our applications, and ensuring our development pipeline is trustworthy end to end. A smaller part of the role involves broader security responsibilities - supporting cloud infrastructure security, monitoring, and compliance efforts.

You will report to the Head of Security in Prague and collaborate closely with our CISO in Ireland.

Key Responsibilities:

  • Secure Development & Code Security (primary focus):

    • Embed in the development process: join planning sessions, lead threat modeling, and review security-critical PRs as a collaborative partner, not a gatekeeper.

    • Continuously assess the codebase, prioritizing high-risk areas: authentication, authorization, cryptography, API security, and sensitive data handling.

    • Own SDLC security tooling: introduce and maintain SAST, dependency scanning, secret detection, and other automated checks across CI/CD pipelines.

    • Secure the build and deployment pipeline: enforce code signing, access controls, and supply chain integrity to keep unauthorized or compromised code out of production.

    • Manage vulnerabilities end to end: from triage through coordinated remediation and verification.

    • Build a security-conscious engineering culture: through code reviews, knowledge sharing, and making security a natural part of how the team ships.

  • Infrastructure & General Security (secondary focus)

    • Partner with our CISO on gap analysis between security standards and cloud infrastructure practices, and drive improvements.

    • Support Blue Team operations - contribute to log management, detection rules, and alert investigation via SIEM and observability platforms.

    • Maintain edge and network security configurations, including Cloudflare WAF, rate limiting, and access rules.

    • Contribute to security policies and compliance efforts across employee devices and frameworks such as ISO 27001, SOC 2, and DORA.

Your Profile:

  • Software development experience: At least 3+ years of professional experience as a software developer. You have written production code, understand how real-world applications are architected and shipped, and can read and review code with confidence. We primarily use Java, but strong proficiency in another language (TypeScript, C#, Go, etc.) is perfectly fine.

  • Application security expertise: Deep understanding of the OWASP Top 10 and secure coding principles. You can spot vulnerabilities in code - not just in theory, but in practice during code reviews and architecture discussions.

  • Threat modeling: Ability to look at a feature design or system architecture and systematically identify what could go wrong, and propose practical mitigations before implementation begins.

  • Secure SDLC understanding: You know how to integrate security into every phase of the development lifecycle, from design reviews through automated checks in CI/CD pipelines to production monitoring.

  • Cloud security fundamentals: Understanding of public cloud security (preferably AWS), IAM, network segmentation, secrets management, and secure service configuration.

Location: Onsite, hybrid or remote (within Czech Republic) are offered for this role.

If you are interested in learning more, please submit your CV, and our recruiter, will get back to you promptly.

or