Information Security Engineer II

Join our team - and take the next step in achieving a fulfilling career!

What We Do

At CardWorks, we aim to help people connect with possibility and opportunity using our financial servicing expertise. Building meaningful, long-term relationships with consumers, our employees, and our clients is what matters most.

Who We Are

CardWorks, Inc. is a diversified consumer finance service provider and parent company of CardWorks Servicing, LLC, Merrick Bank and Carson Smithfield, LLC.

CardWorks Servicing, LLC provides end-to end operational servicing functions for credit cards, secured cards, and installment loans.  We service consumer and small business loans across the credit spectrum and offers backup servicing and due diligence services to capital providers and trustees.

Merrick Bank is an FDIC-insured Utah Industrial Loan Bank. Merrick operates three main business lines: credit cards, recreational lending, and merchant services.

Carson Smithfield, LLC provides a variety of post-charge-off debt recovery services, including digital self-service, IVR, live agent, and external agency management.

Position Summary

We are seeking a skilled and motivated Application Security Engineer to join our team. This role involves safeguarding our software applications and development processes against security threats. The ideal candidate will work closely with developers, DevOps, and IT teams to identify vulnerabilities, implement security best practices, and ensure compliance with industry standards.

Essential Functions

Key Application Security Engineer Responsibilities Include:

• Collaboration & Training: Work closely with development and DevOps teams to ensure security best practice and the SDLC policies are followed during all stages of the Coding pipelines. Deliver training and awareness sessions on application security for developers and stakeholders.
• Code & Architectural Reviews: Conduct in-depth reviews of application code to identify and address security vulnerabilities. Analyze application architecture to ensure robust security design and alignment with best practices. Collaborate with architects and engineering teams to incorporate secure design principles into software systems.
• Automation and Integration Development: Direct the development of tools, scripts, and frameworks to enhance testing processes and reporting, integrating security checks within continuous integration (CI) workflows.
• Tool Management: Implement and manage security tools like Web Application Firewalls (WAFs), vulnerability scanners, AST tools, and dependency checkers.
• Manual and Automated Web Application Testing: Perform manual and automated testing of web applications to identify vulnerabilities such as authentication flaws, session management issues, business logic errors and common web application vulnerabilities. Validate findings from automated tools by replicating issues manually to confirm exploitability and severity.
• Reporting and Communication: Produce detailed, actionable reports tailored to technical and non-technical audiences. Effectively communicate with cross-functional stakeholders, including executive leadership, on vulnerability management and remediation strategies.
• Stay Informed on Emerging Threats: Keep updated on the latest security threats, vulnerabilities, and attack methodologies, integrating new knowledge and techniques into Application Security testing and overall security practices.
  
  

Additional Responsibilities

• Team Development and Cross-Training: Foster cross-training across security functions, ensuring team members are well-rounded in Security Monitoring & Response, Security Control Engineering, and Security Risk Management.
• Security Program Compliance and Reporting: Ensure all activities comply with the Bank’s internal control policies, industry regulations, and legal requirements. Maintain transparent communication regarding policy noncompliance, potential violations, and operational risks.
  
  

Education And Experience

• Bachelor’s degree in computer science, Cybersecurity, Information Security, or a related field. Equivalent experience will also be considered.
• 3-5 years of experience in application security, software development, or a related field.
• Experience with secure coding practices and tools (e.g., Burp Suite, OWASP ZAP, SAST, SCA, DAST, WAF)
  
  

Summary Of Qualifications

• Technical Expertise: Proficiency in programming languages (e.g., C#, Python, JavaScript, PowerShell, Bash).
• Web Application Testing Tool Proficiency: Expert in industry-standard security tools (e.g., Burp Suite, OWASP ZAP) and frameworks for assessing vulnerabilities.
• Cloud and Application Security Knowledge: Experience with web application frameworks, APIs, microservices, and major cloud environments (AWS, Azure, GCP), as well as familiarity with secure SDLC and DevSecOps practices.
• Regulatory Knowledge: Familiarity with compliance requirements for regulated industries, especially banking, including FDIC regulations.
• Leadership and Problem-Solving: Strong decision-making, project management, and problem-solving skills. Able to motivate and guide teams effectively under pressure and tight deadlines.
• Communication and Collaboration: Skilled in communicating complex security issues to diverse audiences, building partnerships across technical and executive teams.
• Cybersecurity Passion and Insight: Demonstrates a proactive approach to cybersecurity, staying updated on industry trends, threats, and emerging hacking techniques.
  
  

The salary range for this position, if located in NY Metro/NY State is $96,521 to $107,246. However, please note that the salary range will vary for other geographic areas.

Our Employee Value Proposition

• Competitive Pay, including a Bonus Target or Variable Pay Incentive Program
• Benefits Package -Medical, Dental, and Vision (plus much more)
• 401(k) Plan with Company Match
• Short- & Long-Term Disability
• Wellness Programs
• Group Life and AD&D Insurance
• Paid Vacation, Sick Days and bank Holidays
• Employee Engagement Activities including Employee Appreciation Day, DEI Employee Resource Groups, Corporate Social Responsibility, Service Recognition
  
  

We offer a total rewards package comprised of a competitive base rate of pay, variable pay incentive programs based on the role, and a comprehensive benefit suite.  Offered rates of pay are determined based on job-related knowledge, relevant experience, skills, certifications, and geographic location.

We are an equal opportunity employer, and we evaluate qualified applicants without regard to race, color, religion, sex, national origin, disability, veteran status or any other legally protected characteristic.  We will conduct a thorough background check for all hires in compliance with applicable.