RESPONSIBILITIES
- Perform hands-on web/API penetration tests, validate scanner findings, and provide clear PoCs, impact statements, and prioritized remediation aligned with OWASP.
- Integrate and tune SAST, DAST, SCA, container, and secret-detection tools in CI/CD; define pass/fail gates and PR checklists.
- Conduct lightweight threat modeling and security design reviews for new features such as authentication, session management, and secrets handling.
- Manage the full application vulnerability lifecycle (discover → prioritize → fix → retest → close) with SLAs and metrics.
- Assist in hardening AWS and ECS/Docker workloads (IAM roles, network segmentation, image policies, logging/monitoring) and support patch hygiene across cloud, container, and endpoints.
- Participate in incident response, including exploit reproduction, log analysis, impact assessment, and lessons learned.
- Provide evidence for audits (ISO 27001, SOC 2, NIST SSDF), maintain policies and developer guidance, and support vendor/security evaluations.
- Translate findings into developer-ready tickets, publish secure-coding guidance, and partner with engineering to streamline secure delivery.
- Prototype automation, explore AI/LLM-assisted workflows to improve triage and code review, and share improvements across teams.
- Contribute to organization-wide cybersecurity training and awareness efforts.
QUALIFICATIONS
- Bachelor's degree in security engineering, information assurance, or related field.
- 2–3 years of experience in security or software engineering (internships, labs, or open-source count), preferably in regulated industries.
- Strong knowledge of web/API security issues (auth, session management, injections, SSRF, CSRF, access control) and common cloud/web misconfigurations.
- Experience with SDLC security tools (SAST/DAST/SCA/secret detection/container scanning), CI/CD workflows, and Git.
- Scripting or coding skills (Python or JavaScript/TypeScript) and ability to read backend code.
- Familiarity with AWS security basics (IAM least privilege, KMS, logging/monitoring, security groups) and Docker/ECS runtime considerations.
- Clear communication skills with the ability to translate risk into actionable remediation.
- Experience using AI/LLM-assisted tools for triage, documentation, or code review preferred.
- Exposure to WAF/CDN tuning, API protection, and risk-based remediation SLAs/metrics preferred.
- Familiarity with frameworks like OWASP ASVS/SAMM, NIST SSDF, ISO 27001, SOC 2, PCI DSS preferred.
- Relevant security certifications preferred.
Top Skills
What We Do
Supernova is the technology leader in securities-based lending ("SBL") solutions that connect and empower the entire financial ecosystem. We offer the world’s first and only cloud-based, fully-customizable, end-to-end software solution to automate securities-based lending from origination through the life of the loan.
Why Work With Us
At Supernova, we're all about helping investors to achieve financial wellness. And that starts with cultivating an awesome company culture where everyone enjoys working hard and celebrating...together. We envision a world where all people have the highest probability for accomplishing their goals with the least amount of risk.
Gallery










Supernova Technology Offices
Hybrid Workspace
Employees engage in a combination of remote and on-site work.
Employees report to the office at least 4 days a week on which ever days make most sense for them.