Senior Software Engineer, Security at Loancrate

WHAT IS LOANCRATE? We started Loancrate to make home-buying simpler and less expensive for lenders and borrowers (us!). Today, mortgage lenders are stuck running their companies on software products built 20 years ago. These products are slow, unstable, and don't lead to material improvements in efficiency. When using these systems, the average human cost to originate a loan is still over $11,000. Loancrate builds AI-native tooling to automate mortgage workflows. Our ultimate goal is fully automated origination, which has the potential to save lenders over $16B in operating expense per year. Since starting in 2020, our remote team has enabled our customers to power >$85 billion in new home loans. We are a group of people excited to tackle the complexity of the home-lending industry. We care about collaboration, very open communication covering the good & the bad so that we learn from our decisions quickly, and ultimately having fun while we’re building. You’ll fit in well if you like diving deep quickly! THE OPPORTUNITY We’re looking for a Senior Software Engineer, Security to help make Loancrate more secure without making it harder to build here. This is a hands-on senior IC software engineering role for someone who specializes in security. You will work directly in our product and platform code, build internal tooling and guardrails, review designs and implementations, and help engineers eliminate classes of vulnerabilities at the source. We handle highly sensitive personal and financial data, so security matters deeply here. But we believe good security work shows up as better architecture, safer defaults, useful tooling, and sound engineering judgment — not process theater. This role is focused primarily on product security and security engineering: secure design, threat modeling, code review, authentication and authorization, secrets handling, CI/CD guardrails, and internal tooling. It is not primarily a compliance-management, endpoint-IT, vendor-risk, or scanner-operations role. This role is best suited to someone who likes startup environments: small teams, broad ownership, imperfect systems, and the chance to materially improve the product through direct engineering work. You should be comfortable making pragmatic decisions, operating with incomplete information, and focusing on the highest-leverage fixes rather than importing heavyweight processes from much larger companies. WHAT TO EXPECT As a senior engineer at Loancrate, you should expect to spend meaningful time in code, in design reviews, and in implementation — not primarily coordinating programs or acting as an external reviewer. You will likely spend your time on work such as: - building secure-by-default libraries, helpers, and templates that engineers use across services - reviewing designs and pull requests for authentication, authorization, tenant isolation, secrets handling, data exposure, and abuse cases - improving developer workflows and CI/CD guardrails so real issues are caught early with minimal noise - partnering directly with product and platform engineers to fix vulnerabilities in code and architecture - raising the security baseline incrementally and pragmatically in a fast-moving environment CORE RESPONSIBILITIES - Design and build shared libraries, platform guardrails, and internal tools that make the secure path the easy path for engineers - Review architecture, technical designs, and production code for security issues in product and platform systems - Perform pragmatic threat modeling for new features, workflows, services, and integrations - Improve core security patterns across the stack, including authentication, authorization, secrets handling, secure logging/redaction, auditability, and sensitive-data protections - Build or improve developer-facing security automation in CI/CD and local workflows, including code scanning, dependency policy, secret detection, and infrastructure checks, with a bias toward low-noise, high-signal results - Work directly with engineers to remediate vulnerabilities in code and design, focusing on durable fixes and reusable patterns rather than one-off tickets - Help define and evolve a lightweight secure SDLC that fits a fast-moving startup environment - Contribute to incident analysis and postmortems when product or platform security issues arise - Write clear documentation, examples, and decision records that help teams build securely without unnecessary friction TECH STACK Our stack evolves, but today you’re likely to work in technologies like: - Full-stack TypeScript, running on Node.js for backend services, APIs, and internal tooling - AWS and Cloudflare for cloud infrastructure, managed via Terraform or Pulumi - Application services running in Docker on ECS, using either EC2 or Fargate - Core data and platform services including PostgreSQL, Redis, Kafka, and OpenSearch - CI/CD and internal automation built around modern engineering workflows, including Buildkite and infrastructure as code WHAT WE’RE LOOKING FOR - Strong software engineering background, ideally in backend or platform systems - Comfortable making meaningful contributions in a production codebase, not just scripts or proofs of concept - Experience with secure design reviews, threat modeling, code review, and vulnerability remediation - Strong understanding of common application and API security issues, including authentication, authorization, injection risks, secrets handling, session security, data exposure, and multi-tenant isolation - Experience building engineering-facing tooling, libraries, CLIs, CI/CD checks, or other developer-platform guardrails - Good technical judgment and a practical approach to reducing real risk without slowing the company down unnecessarily - Strong written communication and the ability to explain technical risk clearly to engineers and non-security stakeholders - Comfort operating with high autonomy in a small or medium-sized engineering organization - Preference for solving problems in code and architecture rather than by introducing heavyweight process HELPFUL, BUT NOT REQUIRED - Experience with TypeScript/Node.js and modern cloud-native backends - Familiarity with AWS security fundamentals and reviewing infrastructure-as-code changes - Experience in fintech or another regulated environment handling sensitive customer data - Familiarity with SOC 2 or similar frameworks - Familiarity with identity systems such as SSO, SAML, SCIM, MFA, and hardware-backed authentication - Experience building internal developer tools or paved-road platform components - Experience balancing speed, usability, and security in a startup environment Perks & Benefits - Robust medical coverage (100% of employee + family premiums covered) - Vision & dental coverage - 401(k) - HSA / FSA - Remote-first culture - work from wherever you do your best work - Flexible time off - we trust you to manage your time Loancrate is an equal opportunity employer. We celebrate diversity and are committed to creating an inclusive environment for all employees. We do not discriminate on the basis of race, color, religion, sex, sexual orientation, gender identity, national origin, age, disability, veteran status, or any other legally protected characteristic.