Senior Application & Infrastructure Security Engineer

Title: Senior Application & Infrastructure Security Engineer

Department: Tech

Location: Remote

About CoinPoker

Welcome to CoinPoker, the innovative crypto-poker platform where advanced blockchain technology meets the thrilling world of online poker. At CoinPoker, we are revolutionizing the poker experience by offering fast, secure, and transparent gameplay. With recent substantial investment, we are poised to take over the online crypto-poker space and are expanding our team to support our growth.

The Opportunity

We are looking for a seasoned Security Engineer to own and elevate the security posture of our platform end to end from the Cloudflare edge and AWS infrastructure down to the API layer, frontend, and backend application code. This is a high-impact, high-ownership role embedded within engineering. You will work closely with product, DevOps, and development teams to identify threats before they become incidents, respond decisively when they do, and build the systems, policies, and culture that keep our users and platform safe.

Key Responsibilities:

• Own and drive the end-to-end security posture of all web, API, and infrastructure surfaces

• Identify, assess, and remediate vulnerabilities across frontend (web + Electron), backend services, and cloud infrastructure

• Design and enforce security controls at the Cloudflare edge — WAF policies, bot mitigation rules Turnstile integrations, and rate limiting strategies

• Harden AWS environments: API Gateway, EC2, Lambda, S3, RDS, and supporting services in line with least-privilege and zero-trust principles

• Lead threat modelling sessions for new product features and flag security gaps before they reach production

• Monitor, investigate, and respond to security incidents — from Cloudflare firewall events and WAF alerts to SIEM-detected anomalies

• Conduct regular penetration testing and vulnerability assessments; triage and prioritise findings by business impact

• Define and enforce HTTP security header policies (CSP, HSTS, X-Frame-Options, Referrer-Policy) across all domains

• Build and maintain a DDoS response playbook; lead active mitigation during volumetric and application-layer attacks

• Partner with engineering teams to embed secure coding practices and participate in code reviews for security-sensitive changes

• Manage the responsible disclosure and bug bounty programme; triage external researcher reports

• Produce clear security reports, risk registers, and executive briefings; track remediation SLAs

• Stay current on emerging attack vectors, CVEs, and threat landscape changes relevant to online gaming and fintech platforms
  

Highly Desired Knowledge and Experience:

• 8+ years of hands-on experience in application, infrastructure, and web security

• Deep expertise in OWASP Top 10 vulnerabilities: SQLi, XSS, CSRF, IDOR, RCE, SSRF, and clickjacking

• Proven experience with DDoS attack detection, mitigation, and post-incident analysis

• Strong command of Cloudflare — WAF rules, Bot Management, Turnstile, Rate Limiting, Transform Rules, and Firewall Events analysis

• Hands-on AWS security experience: IAM policies, Security Groups, VPC design, API Gateway throttling, WAFv2, Shield, GuardDuty, and CloudTrail

• Deep understanding of API security: authentication flows (OAuth2, JWT, OTP abuse), rate limiting and endpoint hardening

• Experience securing frontend applications against XSS, CSP bypass, clickjacking, and third-party script risks

• Backend security expertise: input validation, secure coding practices, secrets management, SQL injection prevention

• Proficiency with penetration testing tools: Burp Suite, OWASP ZAP, Nmap, Metasploit, Nikto

• Experience conducting and managing vulnerability assessments, threat modelling, and security audits

• Solid understanding of TLS/SSL, HTTP security headers (HSTS, CSP, X-Frame-Options), certificate management

• Experience with SIEM platforms, log aggregation, alert tuning, and incident response

• Knowledge of bot mitigation strategies — JA3/JA4 fingerprinting, bot scoring, heuristic vs ML detection

• Familiarity with compliance frameworks: ISO 27001, SOC 2, PCI-DSS, or GDPR

• Strong written and verbal communication skills — able to produce security reports and brief non- technical stakeholders

• Hands-on experience integrating security testing into CI/CD pipelines: SAST, DAST, SCA, and secrets scanning as automated gates

Our recruitment process is as follows:

1. Apply

2. Have an introduction call with the recruitment team

3. Do a test

4. Have a technical interview

Equal Opportunities

CoinPoker is an equal-opportunity advocate welcoming applicants from all backgrounds.