Job Description
Job Title:
Senior Application Security Architect Location:
Payactiv's Milpitas, CA Headquarters Reports to: Director of Information Security Who we are… We are Payactiv, a FinTech company devoted to giving workers access to their earned wages when they need them. Payactiv is the pioneer and industry leader in Earned Wage Access — the only Certified B Corporation and Public Benefit Corporation in our industry. Our platform helps millions of workers avoid debt, build financial stability, and take control of their financial lives. We partner with thousands of employers who recognize that financial wellness isn't a perk — it's the foundation of a loyal, engaged workforce. Payactiv is seeking a hands-on Application Security Architect who will act as the principal consultant for security architecture across the entire product lifecycle, from conceptual design through to delivery and continuous development. Your central objective is to design, implement, and supervise a robust enterprise-wide Secure SDLC initiative. Leveraging extensive expertise in the Microsoft .NET framework along with functional proficiency in Python, Node.js / TypeScript, Angular, and React, you will drive secure-by-design strategies, govern Git branching and merging protocols, and facilitate technical peer evaluations. Additionally, you will collaborate with architecture groups to verify that all new and existing software and infrastructure projects align with internal security policies and adhere to mandatory regulatory frameworks such as ISO, PCI, OWASP, and NIST 800-53.
What you will do… Partner with product owners, engineering teams, and solution architects to architect, formalize, and implement a Secure SDLC framework. This framework should be based on NIST SSDF, OWASP
SAMM, BSIMM, and Microsoft SDL standards, incorporating mandatory security checkpoints throughout the planning, development, testing, deployment, and operational phases to guarantee that security protocols are integrated from the project's inception. Lead the architectural review process by overseeing ADRs, evaluating system architectures, and directing threat modeling sessions with methodologies such as attack trees, PASTA, and STRIDE. Act as the authoritative figure for security architecture, with the mandate to approve or deny designs based on established security benchmarks while championing a secure-by-design philosophy. Establish and uphold robust benchmarks for data handling and logging, alongside standards for cryptography, secure coding, and authentication/authorization frameworks such as FIDO2, mTLS, SAML, OIDC, and OAuth 2.1 Manage comprehensive .NET application security:
provide end-to-end oversight for C#, .NET 6/7/8+, ASP.NET
Core (MVC, Web API, Minimal APIs), Blazor, gRPC, and EF Core. This includes securing the supply chain, hardening legacy .NET Framework environments, and implementing identity solutions Deliver architectural guidance for modern stacks: provide secure-coding expertise for Node.js, TypeScript (Express, NestJS, Next.js), and Angular, defining approved libraries and language-specific security patterns. Oversee development governance and reviews:
manage Git branching strategies and repository protections across GitHub, Azure DevOps, and GitLab. Lead a tiered peer-review program for high-risk changes, conducting final reviews on critical paths. Architect and manage the AppSec toolchain: operate security automation including SAST, DAST, SCA, and secrets scanning. Define build-break policies, manage SBOM/SLSA
compliance, and consolidate results via ASPM platforms. Lead vulnerability and incident response:
own application-layer risk management, prioritizing issues via CVSS/EPSS and coordinating responses to supply-chain threats or zero-day events. Team leadership and mentorship:
supervise AppSec engineers and Security Champions, fostering a security culture through paired coding, internal CTFs, and the development of reference architectures and playbooks. What you need… 8+ years in a dedicated Application Security / Secure SDLC role. 8+ years of production C# / .NET - expert in modern .NET (6/7/8+), ASP.NET Core, EF Core, secure deserialization, authorization policies, Data Protection, and NuGet supply- chain hygiene. Working architect-level proficiency in Python, Node.js / TypeScript, and Angular - able to define standards, review code, and threat-model these stacks. Expert in Git internals, branching strategies, merge semantics, signed commits, and large-scale repo governance on GitHub Enterprise / Azure DevOps / GitLab. Proven track record standing up or significantly maturing a Secure SDLC at enterprise scale, security-as-code, metric-driven AppSec. Deep knowledge of OWASP Top 10, API Top 10, ASVS L2/L3, CWE
Top 25, MITRE ATT&CK, applied cryptography, and identity protocols (OAuth 2.1, OIDC, SAML, FIDO2). Excellent written communication - authors standards, ADRs and executive briefings; calm, structured incident leadership. Third-party/vendor risk assessments, ensuring alignment with internal security policies and risk tolerance. Nice to have Public CVEs, OSS security tooling, or conference talks (BlackHat, DEF CON, OWASP, NDC, .NET
Conf). Experience building paved-road platforms / internal developer platforms (Backstage). AI / LLM
application security (OWASP LLM Top 10, prompt injection, model supply chain). Fuzzing experience (SharpFuzz, libFuzzer) and prior PSIRT leadership. What we offer… Company sponsored Health, Dental, and Vision insurance 401K, traditional, and Roth with a company match Tuition Assistance or Tuition Reimbursement Unlimited Paid Time off Monthly Gym Reimbursement Paid time off to volunteer Paid Family Leave Complimentary lunches onsite Opportunity to grow Opportunity to work with a great team committed to making a difference. Salary range $175k to $195k + Bonus
