Senior Application Security Engineer

Tokyo
Remote OK - Anywhere in Japan
Full-time
May 13, 2025

About KOMOJU

KOMOJU (by Degica) is the leading cross-border payment gateway for Japan. We power payments for companies like video game distribution platform Steam and the popular mobile app TikTok. Today we help thousands of merchants by providing them with the payment infrastructure they need through developer-friendly API’s to integrations on popular platforms like Shopify and Wix; we help our merchants grow in all markets they are expanding. Degica fosters a flat, inclusive culture with a focus on project ownership, continuous improvement, and remote work flexibility.

About this position

We are looking for an experienced and dynamic Application Security Engineer to join our team. The ideal candidate will play a pivotal role in managing our bug bounty programs, building a robust application security program from the ground up, and fostering a strong security culture within the organization. Previous experience as a developer is highly desirable, as it will aid in understanding and mitigating security vulnerabilities in our applications. Passion and a sense of ownership, along with effective communication skills, are crucial for success in this role.

Why join Degica?

Be part of an innovative and forward-thinking company in the payment space
Work in a collaborative and inclusive environment.
Opportunity to shape the security landscape of the organization.
Competitive salary and benefits package.

If you are passionate about application security and have the skills and experience we are looking for, we encourage you to apply and help us secure our digital future.

Responsibilities

Build the Application Security Program

Develop policies, procedures, and standards to safeguard our applications.
Conduct risk assessments and implement controls to mitigate security threats.
Help manage external pentesting required to meet regulatory compliance.

Integrate Security into the SDLC

Implement and manage a Secure Software Development Life Cycle (SSDLC) process.
Design, implement, and operate a DevSecOps program with automated security testing in our CI/CD pipelines.
Guide development teams in integrating security best practices.
Manage a security bug-bounty program, responding to reports in a timely manner and ensuring fixes are tested and implemented by our developers.

Foster a Secure Code Culture

Promote application-security awareness and best practices across all teams.
Conduct code reviews and provide guidance on secure coding practices and secure software architecture.
Provide training and resources to development teams to ensure secure coding practices.

Requirements

Proven experience in the application security domain, with a minimum of 3 years of hands-on experience.
Familiarity with key application security principles, frameworks, and technologies (e.g., CWE, MITRE, OWASP, CIS Benchmarks)
Strong understanding of security principles and practices.
Previous experience as a developer is highly desirable.
Familiarity with application security assessment tools.
Experience with end-to-end vulnerability management (e.g., SAST and DAST).
Technical knowledge to understand vulnerability risk and remediation steps.
DevSecOps experience, building security controls into CI/CD pipelines (GitHub actions, CircleCI, GitLab CI/CD).
Familiar with security hardening standards and implementation.

Nice to have

Working proficiency in Japanese is helpful but not necessary.
Willingness to learn new technologies and collaborate with distributed and multidisciplinary teams.
Experience with building custom security tooling is a plus.
Cyber Security related certifications.

Tech Stack:

Languages: JavaScript, Ruby, Python, Rust
Frameworks: Ruby on Rails, Vue
Databases: PostgreSQL, MySQL
DevOps: Docker, AWS
Version Control: GitHub
Monitoring and Logging: DataDog

Benefits

At Degica, we embrace remote work while also offering office space for those who prefer in-person collaboration
10 days regular vacation, additional 5 days summer and 5 days winter vacation
Paid birthday holiday
Budget for self-learning allowance, to ensure our employees’ skills remain current
Language training for Japanese

APPLY NOW ➜🇯🇵 Residents Only

About KOMOJU

KOMOJU (by Degica) is the leading cross-border payment gateway for Japan.

We power payments for companies like video game distribution platform Steam and the popular mobile app TikTok.

Today we help thousands of merchants by providing them with the payment infrastructure they need, through developer-friendly API’s to integrations on popular platforms like Shopify and Wix; we help our merchants grow in all markets they are expanding.

When it comes to engineering, we believe in having a flat, inclusive culture and constantly improving by continuing to evaluate ourselves. We also prize individuality and believe that each member brings their own unique value to the team.

Our development processes are always updating as the company grows, and we have an engineering culture that largely organizes itself and each engineer has a lot of ownership in their own projects. This culture allows engineers to showcase their strengths while continuing to grow.

Japanese Language Policy
With around half of their total members (and around 75% of engineers) coming from outside Japan, KOMOJU generally uses English for written communication (e.g. Slack, Github). Verbal communication is also primarily in English.

However, quite a few people working there can speak both English and Japanese fluently so Japanese may be spoken at times during meetings, especially when they involve teams other than engineering.

Overall, the language spoken depends on the team. The dev team uses mostly English, but their HR team (for example) speaks primarily Japanese.
Visa Sponsorship
KOMOJU sponsors visas for candidates living outside of Japan. They’re still hiring from abroad, but due to travel restrictions related to COVID-19 new employees from abroad may need to start working on a contract basis. KOMOJU will switch you over to a full-time employee contract and sponsor your visa once it’s safe to come to Japan again.

KOMOJU also helps out with relocation (searching for apartments etc.) but they don’t have a formal policy for this. The support offered depends on each individual case. They do always pay for flight tickets to Japan in the case that someone moves from abroad however.
Paid Leave
KOMOJU has a very generous vacation policy.

Like most companies in Japan, their basic PTO package starts with 10 days of normal paid time off during an employee’s first year, followed by increases in subsequent years in accordance with Japanese labor law.

KOMOJU also offers 5 extra vacation days that can be used during the summer months, and another 5 days of year-end holidays.

They also have birthday leave, which means members can get an extra day off each year on their birthday. So that’s a total of 21 vacation days per year in addition to Japanese public holidays. They also offer maternity and paternity leave.
Benefits
💻 New tech gear

👩‍🎓 Skill development support

💛 Support for attending conferences

🧡 Seminar participation support

📕 Book purchases

👶 Parental Leave

👩‍🏫 Language Learning Support

💜 Social security / insurance benefits included

🏥 Healthcare insurance

💚 Pension insurance

🚃 Commuter allowance

👍 Motorized sitting / standing desks when working from our office
Engineer Interview Process
Engineering Jobs

KOMOJU’s interview process skips the high-pressure whiteboard interviews in favor of a coding challenge that’s closer to what engineers would actually work on day-to-day.

Here’s the basic interview flow:
- First interview: Meeting with two KOMOJU engineers to discuss about something you’ve built and see if you’re a good cultural fit
- Second interview: Technical challenge to test your real-world development skills
- Third interview: Meeting with a senior leader in the company
Remote Work
KOMOJU allows full remote work from anywhere in the world! The only stipulation is that your work hours must have some overlap with the JST time zone.

Even once COVID-19 is no longer a concern, KOMOJU intends to continue their full remote policy.

And if you do relocate to Japan, there's no need to live near their Tokyo office — you can work from anywhere in Japan.
Work style
KOMOJU has an office in the Kichijoji area of Tokyo, but they’ve switched to working fully remotely due to COVID-19. A typical work day at KOMOJU begins at around 10:00AM for most people. Some teams begin with a stand-up meeting where they quickly share their tasks for the day before focusing on work for the rest of the day.

One unique aspect of KOMOJU’s work style is their code review process. Since they have a flat hierarchy and a relatively small team, they have a system where reviewers are selected randomly. Their engineers also take care of operations and handle errors or technical customer queries as a team via Slack.

A typical stopping time for engineers at KOMOJU is at around 7:00PM, and they have very little overtime so engineers normally won’t be online past this time. They also make it a point to avoid unnecessary meetings and prefer to have ad-hoc discussions with relevant members only.