Job Description

About us:

Soar is a global fintech startup that specializes in financing and investment. Currently headquartered in Saudi Arabia, Soar is growing throughout the region with a mission to help people achieve their financial goals with innovative financial and property investment solutions and tools through its multi-purpose platform, designed to offer a simple and seamless user experience.

Role Summary:

You will be the architect of our "Security by Design" philosophy. Your primary mandate is to embed security into every stage of our software development lifecycle--from the first line of code to production deployment. You will leverage AI-driven tools to automate threat detection and vulnerability management, ensuring that our speed of innovation is matched by our speed of defense.

Key Responsibilities:

1. Secure Software Development Life Cycle (SSDLC)


Shift Left Security: Champion the integration of security early in the development phase. Lead Threat Modeling sessions during the design phase of new features to identify risks before code is written. CI/CD Pipeline Security: Automate security gates within our deployment pipelines. Implement and manage SAST (Static Application Security Testing), DAST (Dynamic Application Security Testing), and SCA (Software Composition Analysis) tools. Secure Coding Standards: Establish and enforce secure coding guidelines (OWASP Top 10, SANS 25) for our engineering team. Conduct regular code reviews and security training for developers.


2. AI & Automation Integration


AI-Enhanced AppSec: Utilize AI-powered code analysis tools to reduce false positives in vulnerability scanning and provide auto-remediation suggestions to developers. Automated SOAR: Build and maintain a Security Orchestration, Automation, and Response (SOAR) framework. Create playbooks that automatically isolate compromised assets or block malicious IPs without human intervention. Predictive Defense: Deploy AI-driven network monitoring to detect behavioral anomalies in our self-hosted infrastructure (e.g., zero-day attacks or lateral movement) that traditional rules might miss.


3. Infrastructure & Network Security (Self-Hosted)


Hardening: Oversee the security hardening of our self-hosted environments (Kubernetes clusters, Docker containers, and Linux servers). Traffic Analysis: Manage WAF (Web Application Firewall) rules and DDoS protection layers, ensuring high availability for our customers. Secrets Management: Enforce strict secrets management (e.g., Vault) to ensure no credentials are hardcoded in the application.


4. GRC (Governance, Risk & Compliance)


Regulatory Adherence: Ensure our SSDLC and operations strictly adhere to SAMA's Cybersecurity Framework and NCA's Essential Cybersecurity Controls (ECC). Audit Readiness: Automate evidence collection for compliance audits to minimize manual overhead. Data Residency: Ensure all AI processing and data storage complies with the Personal Data Protection Law (PDPL), keeping critical data within KSA.

Qualifications

Education & Experience:

Experience: 6+ years in Cybersecurity, with specific experience in Application Security or DevSecOps.


Managerial: Proven ability to lead technical initiatives and influence engineering teams.


Tech Stack: Deep experience with CI/CD tools (Jenkins, GitLab, GitHub Actions), Container Security (Kubernetes/Docker), and Python/Go scripting.

Technical Skills:

SSDLC Mastery: Expert knowledge of integrating security tools (SonarQube, Checkmarx, Burp Suite, etc.) into a pipeline.


AI/Automation: Experience implementing AI-based security tools (e.g., Darktrace, Vectra, or AI-enabled SIEMs) and writing automation scripts.


Regulatory Knowledge: Strong understanding of SAMA regulations regarding application security and data protection.

Nice to have skills (Certifications):

CSSLP (Certified Secure Software Lifecycle Professional) - Highly Preferred


CISSP (Certified Information Systems Security Professional)


OSCP (Offensive Security Certified Professional)