Back to search
BukuWarung Linkedin · Posted 16d ago

Senior Security Engineer

India

Linkedin
Continue to application Add your email once, then Caio opens the original posting.

Indexed description

About BukuWarung

BukuWarung is building the financial and digital nervous system for millions of underserved merchants across Indonesia, payments, credit, software, and money management in one integrated platform. Our payments stack spans Virtual Accounts, card-based EDC terminals (mini ATM), QRIS Soundbox, and the shared backend that powers all of them. We operate in a regulated payments environment where compliance and security standards are a core engineering concern, not an afterthought.

The Role

We are looking for a Senior Security Engineer with deep payments-security expertise, the ownership mindset of a compliance driver, and the hands-on instincts of a security tester. You will partner directly with Engineering leads and individual engineers — embedding security into how teams design and build, not bolting it on after the fact. Hands-on work and cross-functional influence are equally weighted here.

What You Will Do

Payments & Product Security

  • Own the security posture of our EDC terminals, QRIS Soundbox, Virtual Account flows, and the APIs connecting them
  • Perform threat modeling and security reviews on new payment products and infrastructure before they ship
  • Define payment key management requirements: transactional key lifecycle, key injection, HSM usage, and PIN security on EDC terminals
  • Harden payment APIs with HMAC request signing, mutual TLS, certificate pinning, and replay-attack prevention
  • Assess risks in our Android EDC app: root detection, code obfuscation, intent restriction, local data encryption, and version allow-listing

Compliance Ownership

  • Own and drive ISO 27001, PCI-DSS, and SOC 2 certification cycles end-to-end: gap assessments, control implementation, evidence collection, and audit liaison
  • Own PCI-DSS and PCI PTS compliance requirements for our EDC and QRIS estate: transactional key protection, PIN security standards, and payment cryptography obligations
  • Assess and track alignment with Bank Indonesia (BI) PADG and POJK cybersecurity requirements for payment products
  • Maintain our ISMS, policy library, risk register, and vendor security review process
  • Serve as the security interface across Engineering, Product, Business, Risk, and Legal — translating control requirements into engineering work

Hands-On Testing & Security Automation

  • Run application security testing across the payments platform: DAST, SAST, dependency scanning, API fuzzing, and mobile assessments
  • Build internal security tooling — automated scanners, CI/CD shift-left integrations, and dashboards that surface risk continuously
  • Conduct or coordinate penetration testing of EDC, Soundbox, and backend services; own findings triage through closure
  • Use AI tooling to scale security coverage — smarter scanners, anomaly surfacing, and pentest automation

Incident Response & Security Culture

  • Lead P0 and P1 security incident response: cross-functional coordination, forensics, and post-mortems with MTTD and MTTR ownership
  • Drive the security ladder within Engineering: secure coding guidelines, threat-modeling practices, and developer enablement
  • Mentor engineers on security patterns and build reusable secure-by-default primitives across the platform

Required

What We Are Looking For

  • 5–8+ years in security engineering with meaningful time in payments, fintech, or financial services
  • Hands-on experience securing payment systems: EDC terminals, QR-payment infrastructure, or Virtual Account and disbursement rails
  • Proven end-to-end ownership of ISO 27001, PCI-DSS, or SOC 2, scoped, implemented, and delivered, not just supported
  • Deep knowledge of payment key management: transactional key lifecycle, HSM or equivalent, and cryptographic key protection standards
  • Strong AppSec fundamentals: threat modeling, OWASP, Android mobile security, API security, and secure SDLC
  • Experience building security automation: SAST/DAST pipelines, CI/CD integrations, or custom tooling
  • Proficiency with AWS security controls: IAM, KMS, Secrets Manager, VPC segmentation, Security Hub, GuardDuty
  • Clear communicator, able to articulate risk and tradeoffs to both engineering and non-technical stakeholders

Strong Signals

  • Certifications: OSCP, CEH, CISSP, CISM, PCI QSA or ISA, or equivalent
  • Designed payment-API hardening controls from scratch: HMAC, mTLS, certificate pinning, replay prevention
  • Experience with PCI PTS, EMV, or terminal-level security for card-acceptance devices
  • Built security tooling or pentest agents leveraging AI or LLMs
  • Authored threat models, RFCs, or post-mortems that materially changed how a system was built
  • Familiarity with Bank Indonesia regulatory requirements for payment security and data protection
Free. 20 seconds. No password. See every match in this search.

Create a free Caio profile to unlock more results and save your role and location preferences.

Unlock free search
Want help applying to roles like this? Search Caio for free. If CV tailoring and application tracking get heavy, Full Caio Agent adds a human specialist.
View Full Agent