Salary range: 40.000€ €
We're looking for a driven Application Security Engineer to join our kununu IT team in Porto.
In this role, you'll be responsible for securing our web application and its AWS-native infrastructure, working closely with engineering and Cloud Infrastructure teams to embed security throughout the Software Development Life Cycle (SDLC).
You'll help protect, strengthen our application-security posture, and ensure secure, scalable deployments across a modern cloud stack. You'll be a key player in building trust with our users and maintaining a secure SaaS platform.
#kununujob
Your Tasks
You design, implement, and continuously improve application security controls for a PHP and JavaScript (NodeJS, React and NextJS) web application
You embed security into the CI/CD pipeline using GitHub and GitHub Actions, from build to deployment
You perform secure code reviews, threat modelling, and architecture reviews for new and existing features
You analyse application traffic patterns to detect and mitigate malicious bots, scraping, and automated abuse
You define application-aware bot protection controls using AWS WAF and Shield, including rate limiting, anomaly detection, and custom rules
You validate bot mitigation effectiveness through testing, monitoring, and continuous improvement
You define and operate Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), and dependency-scanning tools, including policies for third-party and open-source components
You help design and maintain automated security test suites for test environments and live systems (continuous validation)
You collaborate with Cloud Infrastructure teams to secure AWS workloads running on ECS (EC2 & Fargate), ALBs, Lambdas, and WAF
You monitor, analyze, and respond to application-level security events using Security Hub, GuardDuty, CloudTrail, and WAF logs
You lead vulnerability management for application and cloud services, including prioritization and remediation guidance
You help shape kununu's application-security policies, standards, and secure design patterns
You support incident response and post-incident reviews with a strong application-security focus
You contribute to compliance efforts (e.g. GDPR, ISO from an application-security perspective
Your Skills
Strong experience in application security, ideally for PHP-based web applications
Solid understanding of web security fundamentals (OWASP Top 10, authentication, authorization, session management, input validation)
Hands-on experience with AWS security services, especially:
Security Hub
GuardDuty
CloudTrail
AWS WAF & Shield
Experience securing containerized workloads on ECS (EC2 & Fargate) and understanding of ALBs and Lambdas
Proven experience with SAST, DAST, and dependency-scanning tools (e.g. Snyk, Dependabot, Trivy, OWASP ZAP, Burp)
Strong understanding of secure design patterns and common application-security anti-patterns
Experience defining or maintaining automated security tests for CI/CD pipelines and runtime validation
Familiarity with GitHub Actions and modern DevSecOps practices
Comfortable scripting or automating security workflows (e.g. Bash, Python, or similar)
Strong communication skills and ability to work closely with developers and stakeholders
Fluent in English (Portuguese is a plus)
Your benefits
Mobile devices also for private use
Drinks, food & goodies
Sabbatical and part-time options
Remote work option
Trust-based working hours
Restaurant vouchers and employee discount
Transparent, competitive salary
Training courses and workshops
Up to 12 weeks Workation
Your contact person
You still got questions about the job?
Feel free to get in touch with us.
Bárbara Serrano
Talent Acquisition Specialist