Senior Application Security Architect

Payactiv
Milpitas, California
Full Time

Email Address

Apply Now

Job Title: Senior Application Security Architect

Location: Payactiv's Milpitas, CA Headquarters

Reports to: Director of Information Security

Who we are

We are Payactiv, a FinTech company devoted to giving workers access to their earned

wages when they need them. Payactiv is the pioneer and industry leader in Earned Wage

Access - the only Certified B Corporation and Public Benefit Corporation in our industry.

Our platform helps millions of workers avoid debt, build financial stability, and take control of

their financial lives. We partner with thousands of employers who recognize that financial

wellness isn't a perk - it's the foundation of a loyal, engaged workforce.

Payactiv is seeking a hands-on Application Security Architect who will act as the principal consultant for security architecture across the entire product lifecycle, from conceptual design through to delivery and continuous development. Your central objective is to design, implement, and supervise a robust enterprise-wide Secure SDLC initiative. Leveraging extensive expertise in the Microsoft .NET framework along with functional proficiency in Python, Node.js / TypeScript, Angular, and React, you will drive secure-by-design strategies, govern Git branching and merging protocols, and facilitate technical peer evaluations. Additionally, you will collaborate with architecture groups to verify that all new and existing software and infrastructure projects align with internal security policies and adhere to mandatory regulatory frameworks such as ISO, PCI, OWASP, and NIST 800-53.

What you will do

Partner with product owners, engineering teams, and solution architects to architect, formalize, and implement a Secure SDLC framework. This framework should be based on NIST SSDF, OWASP SAMM, BSIMM, and Microsoft SDL standards, incorporating mandatory security checkpoints throughout the planning, development, testing, deployment, and operational phases to guarantee that security protocols are integrated from the project's inception.
Lead the architectural review process by overseeing ADRs, evaluating system architectures, and directing threat modeling sessions with methodologies such as attack trees, PASTA, and STRIDE. Act as the authoritative figure for security architecture, with the mandate to approve or deny designs based on established security benchmarks while championing a secure-by-design philosophy.
Establish and uphold robust benchmarks for data handling and logging, alongside standards for cryptography, secure coding, and authentication/authorization frameworks such as FIDO2, mTLS, SAML, OIDC, and OAuth 2.1
Manage comprehensive .NET application security: provide end-to-end oversight for C#, .NET 6/7/8+, ASP.NET Core (MVC, Web API, Minimal APIs), Blazor, gRPC, and EF Core. This includes securing the supply chain, hardening legacy .NET Framework environments, and implementing identity solutions
Deliver architectural guidance for modern stacks: provide secure-coding expertise for Node.js, TypeScript (Express, NestJS, Next.js), and Angular, defining approved libraries and language-specific security patterns.
Oversee development governance and reviews: manage Git branching strategies and repository protections across GitHub, Azure DevOps, and GitLab. Lead a tiered peer-review program for high-risk changes, conducting final reviews on critical paths.
Architect and manage the AppSec toolchain: operate security automation including SAST, DAST, SCA, and secrets scanning. Define build-break policies, manage SBOM/SLSA compliance, and consolidate results via ASPM platforms.
Lead vulnerability and incident response: own application-layer risk management, prioritizing issues via CVSS/EPSS and coordinating responses to supply-chain threats or zero-day events.
Team leadership and mentorship: supervise AppSec engineers and Security Champions, fostering a security culture through paired coding, internal CTFs, and the development of reference architectures and playbooks.

What you need

12+ years in software engineering; 8+ years in a dedicated Application Security / Secure SDLC role.
8+ years of production C# / .NET - expert in modern .NET (6/7/8+), ASP.NET Core, EF Core, secure deserialization, authorization policies, Data Protection, and NuGet supply- chain hygiene.
Working architect-level proficiency in Python, Node.js / TypeScript, and Angular - able to define standards, review code, and threat-model these stacks.
Expert in Git internals, branching strategies, merge semantics, signed commits, and large-scale repo governance on GitHub Enterprise / Azure DevOps / GitLab.
Proven track record standing up or significantly maturing a Secure SDLC at enterprise scale, security-as-code, metric-driven AppSec.
Deep knowledge of OWASP Top 10, API Top 10, ASVS L2/L3, CWE Top 25, MITRE ATT&CK, applied cryptography, and identity protocols (OAuth 2.1, OIDC, SAML, FIDO2).
Excellent written communication - authors standards, ADRs and executive briefings; calm, structured incident leadership.
Third-party/vendor risk assessments, ensuring alignment with internal security policies and risk tolerance.

Nice to have

Public CVEs, OSS security tooling, or conference talks (BlackHat, DEF CON, OWASP, NDC, .NET Conf).
Experience building paved-road platforms / internal developer platforms (Backstage).
AI / LLM application security (OWASP LLM Top 10, prompt injection, model supply chain).
Fuzzing experience (SharpFuzz, libFuzzer) and prior PSIRT leadership.

What we offer