Company Description
Fairness feels good
Make a real impact at AFCA. Where fairness drives every decision. Help us deliver world-class, independent complaints resolution for Australians. As a not-for-profit and progressive financial ombudsman, we’re championing positive change. Achieving our purpose takes progressive thinking, accountability and resilience. At AFCA, our inclusive leadership values every voice. We offer our people flexible work options, thoughtful benefits and opportunities to deepen expertise. Flourish in a diverse, caring culture. Feel the difference of belonging to an organisation intentionally designed to put people first.
Job Description
We’re looking for a Senior Application Security Engineer to embed security across AFCA’s software development and digital delivery practices.
This is a hands-on role where you’ll partner closely with engineering, product and platform teams to ensure applications are secure by design and secure by default across web, API and cloud-native environments.
You’ll play a key role in strengthening our application security capability while supporting a broader digital transformation program.
In this role you will:
-
Embed application security practices across the SDLC, from design through to deployment and operations
-
Define and implement secure coding standards, patterns and controls across applications and APIs
-
Lead threat modelling, secure design reviews and penetration testing activities
-
Implement and optimise application security tooling (SAST, DAST, SCA, secrets detection) within CI/CD pipelines
-
Triage vulnerabilities, prioritise remediation and partner with engineering teams to drive fixes
-
Provide hands-on guidance on secure design, authentication, data protection and API security
-
Drive DevSecOps maturity through automation and security integration in development workflows
-
Contribute to vulnerability management, reporting and continuous improvement
-
Strengthen controls for AI-enabled applications and emerging security risks
Qualifications
You’re a technically strong and pragmatic security engineer who enjoys working closely with developers to build secure, scalable systems.
You’ll bring:
-
Significant experience in application security, product security, DevSecOps and/or secure software engineering roles within complex enterprise or highly regulated environments.
-
Deep expertise in modern application security practices, including secure SDLC, threat modelling, secure design review, secure coding and application security testing.
-
Strong hands-on experience working with software development and product engineering teams across modern application stacks, APIs, integrations and cloud-based platforms.
-
Demonstrated expertise in penetration testing and security assessment of web applications, APIs and related services, including findings validation and explain exploitability and business risk.
-
Practical experience implementing, tuning or operating SAST, DAST and SCA capabilities and integrating these into CI/CD pipelines and engineering workflows.
-
Strong vulnerability management capability, including triage, prioritisation, remediation guidance, exception management, reporting and metrics.
-
Strong knowledge of OWASP Top 10, API Security Top 10, common attack vectors, authentication and authorisation models, cryptographic fundamentals and secure-by-design principles.
-
Experience with automation, scripting or software development sufficient to build or improve security tooling, developer guardrails and security-as-code practices.
-
Understanding of AI security risks and controls, including risks associated with AI-enabled applications, LLM usage, prompt injection, data leakage and insecure model integration.
-
Experience in financial services, government or other highly regulated industries will be highly regarded.
-
Excellent stakeholder engagement and communication skills, with the ability to influence engineers, architects, product owners and business leaders.
Additional Information
-
Silver AWEI Accreditation 2025 – Recognised for LGBTQ+ workplace inclusion.
-
Accredited Family Friendly Workplace – Supporting work-life balance and inclusivity.
-
Hybrid working – Flexible arrangements with two days a week in our modern offices designed for collaboration and wellbeing.
-
Additional and inclusive leave options – Flexible public holidays, gender affirmation leave, women’s health leave, and bonus paid time off over the end of year holiday period.
To apply
If you’re passionate about fairness and believe your skills align with this role, we encourage you to apply even if you don’t meet every single criterion.
We welcome applications from people of all backgrounds, cultures, abilities, sexual orientations, and gender identities. If you require any accessibility support during the recruitment process, please reach out to our team at [email protected].
We believe fairness starts with people. That’s why we don’t use AI or automated tools to screen candidates. As a result, our processes may take a little longer, and we thank you for your patience.
About AFCA
The Australian Financial Complaints Authority (AFCA) was established in 2018 as a private not-for-profit ombudsman service providing free, fair and independent help with financial disputes. The original team has grown to over 1600 dedicated professionals. Since 2018, AFCA has received more than 634,000 complaints, helping to secure $2.1 billion in compensation for consumers.
AFCA is a 2026 Circle Back Initiative Employer - we are committed to responding to every applicant.
