Join Relay: Secure the Future of SMB Finance as a Senior Application Security Engineer
At Relay, we're revolutionizing how small businesses manage their money. We're building an all-in-one, collaborative platform that empowers SMBs to thrive. Forget traditional banking limitations – we're focused on delivering a human-centric experience that puts our customers "on the money."
We're seeking a passionate and proactive Senior Application Security Engineer to join our team and play a critical role in securing our platform. If you're driven by autonomy, thrive on solving complex security challenges, and want to make a tangible impact, this is your opportunity.
This isn't just another AppSec role – you'll be on the front lines, proactively shaping our security posture and protecting our SMB customers. You'll be working across our entire stack – from TypeScript and Node.js to Postgres and AWS cloud infrastructure – ensuring security is baked in from the design phase to deployment. You'll collaborate closely with Site Reliability Engineers and other platform team members, ensuring all our production workloads are safe and secure.
If you're ready to ditch the "ticket queue" and build something truly secure, join us and become a champion of AppSec at Relay!
Your Mission:
Architect & Implement Shift-Left Guardrails: Design, build, and maintain secure-by-default libraries and automated CI checks (SAST/DAST/Secrets/SCA, threat-model gates). Ensure PRs meet AppSec standards and critical vulnerabilities are identified and addressed before code merges. Partner with product teams to proactively integrate application security controls and ensure adherence to secure product standards.
Fortify Identity & Account Protection: Lead the charge in hardening authentication mechanisms (e.g., passkeys/WebAuthn), step-up authentication flows, and session controls. Collaborate with stakeholders to demonstrably reduce security violations.
Secure the Software Supply Chain: Enforce strict provenance controls: SBOM on every build, dependency pinning/owner verification, private registries/proxies, and runtime SCA detections.
Integrate Security into the SDLC & IDE: Embed security seamlessly into CI/CD pipelines (GitHub Actions, etc.) across our diverse tech stack (JS/TS/Python and more). Maintain and enhance secure coding capabilities with IDE integration for all delivery teams.
Bolster Cloud & Infrastructure Security: Partner with SREs to strengthen infrastructure security and embed security features directly into core applications and workflows.
Champion AI Security: Conduct thorough AI risk reviews for new features, covering OWASP Top 10 for LLMs. Implement robust safeguards against prompt injection, data leakage, and excessive agency. Govern the secure use of AI-generated code in CI.
Drive Threat Intel & Offensive Testing: Stay ahead of emerging threats (especially in npm and fintech). Conduct targeted black-box testing, support red/purple team exercises, and develop actionable playbooks.
Manage VDP & Bug Bounty: Triage researcher reports, reproduce/assess impact, coordinate fixes with owners, and provide clear communication and implement durable controls to close the loop.
Elevate Security Tooling: Leverage your experience with security tooling and monitoring/alerting systems to improve our overall security posture.
Evangelize Security Best Practices: Mentor team members on secure coding patterns and create concise guidance and runbooks that empower developers to deliver secure code faster.
What You Bring to the Table:
Experience: 5+ years in Application Security, Product Security, Penetration Testing, or a similar role.
Software Prowess: Expert in JavaScript, TypeScript, and Python. You can confidently review PRs, contribute code, and build secure libraries in these languages.
Security Expertise: Deep understanding of OWASP Top 10 and real-world exploitation/mitigation techniques.
Enablement Mindset: You prioritize empowering development teams with effective guardrails over restrictive gates.
Communication & Collaboration Skills: You're a clear communicator and passionate collaborator, dedicated to partnering with developers to deliver secure value to our customers.
Ownership Mentality: You take ownership of problems, ensuring nothing falls through the cracks and stakeholders stay informed.
Mentorship Experience: You're comfortable mentoring team members and others on security best practices.
Bonus Points:
Experience implementing passkeys/WebAuthn or phishing-resistant MFA at scale.
Familiarity with tools like Socket.dev, Semgrep, Datadog AppSec, GitHub Advanced Security, ZAP/IAST, Burp Suite.
Experience building private npm proxies, artifact repos, and SLSA-aligned pipelines.
Participation in or leadership of red/purple team exercises and game days.
Fintech/regulatory experience; experience working in compliant environments like SoC2.
Experience securing AI workflows and products.
Experience joining a company in its early stages and scaling its security alongside its growth.
Show us your home lab!
Our Commitment to You:
Competitive salary and meaningful equity: You'll be a Relay owner.
Comprehensive health benefits: Full health benefits from day one, including flexible Health or Wellness Spending Accounts and medical, dental, and vision coverage.
Flexible vacation and time off: 15 vacation days and 5 flex days annually, plus an extra week of office closure during the end-of-year holidays.
Parental leave with top-up: 12 weeks off with a 100% salary top-up for all full-time employees, regardless of location or parental status.
Hybrid work environment: Meaningful collaboration at our Toronto office twice a week, with lunch, snacks, and beverages provided.
Dog-friendly space: Our office is 100% floof-friendly!
Personal and professional growth: Ongoing feedback, mentorship, and coaching to support your growth.
Top-tier equipment: Mac-first company with everything you need to do your best work.
Social connection: Company-wide get-togethers, quarterly team events, happy hours, and networking opportunities.
The Interview Process:
Stage 1: 45-minute introductory video call with a member of our Talent team.
Stage 2: 60-minute technical video call with the hiring manager.
Stage 3: 60-minute secure code review exercise with the hiring manager and a senior member of our AppSec team.
Stage 4: 45-minute in-person interview with a member of our leadership team.
Stage 5: Take-home assignment followed by a 60-minute video call with two members of our AppSec team to review your assessment.
Why Relay Might Be the Perfect Fit For You:
You push relentlessly for reinvention.
You crave autonomy.
You own your work.
You treat comfort as a red flag.
You care about impact, not noise.
You're energized by complexity and ambiguity.
You seek out feedback.
You're here for more than a job.
Our Promise:
At Relay, we're building the future of finance for small businesses, and we're doing it with a team of truly remarkable people. Join us and build a career you love.
What's Important to Us:
We encourage you to apply, even if you don't meet 100% of the qualifications. We are an equal opportunity employer and value diversity. We will work with applicants to provide accommodations at any stage of the hiring process.