Staff Product Security Engineer

Remote · Full-Time · Engineering

About Cherry

Founded in 2019, Cherry is a fast-growing FinTech offering the simplest, fastest, and most inclusive BNPL solution for medical practices—including dental, medical aesthetics, and veterinary etc. We help practices treat more patients by making care financially accessible. Cherry is led by Stanford entrepreneurs with a previous successful exit and backed by top investors, including Kleiner Perkins and DCM.

About the Role

As Cherry scales its platform across thousands of medical practices and millions of patient transactions, security is foundational. We are looking for a Product Security Engineer to embed directly within our engineering organization, helping us build and ship secure products from the ground up. You will own security across our product surface area: from threat modeling new features to hardening our authentication systems, cloud infrastructure, and payment flows. This is a high-impact, high-ownership role at a meaningful inflection point for Cherry's growth.

What You'll Do:

• Partner with product and engineering teams to perform security design reviews and threat modeling for new and existing features across Cherry's platform.

• Own and evolve Cherry's product security program — including secure coding standards, vulnerability management, and security testing processes.

• Lead security reviews for authentication and authorization systems, ensuring robust access control patterns across our web and mobile products.

• Assess and improve the security posture of Cherry's cloud infrastructure including network controls, IAM policies, secrets management, and container security.

• Champion security best practices for payment processing, financial and health data handling, in alignment with PCI DSS and relevant compliance frameworks.

• Conduct or coordinate penetration tests, red team exercises, and bug bounty triage; drive remediation of identified vulnerabilities.

• Build and maintain security tooling integrated into the SDLC - SAST, DAST, dependency scanning, and runtime protection.

• Respond to security incidents, perform root cause analysis, and implement lasting fixes to prevent recurrence.

• Educate and mentor engineers on security principles, fostering a culture of security ownership across the organization.

• Monitor the threat landscape for emerging risks relevant to FinTech and healthcare-adjacent payment products.

What We're Looking For:

• 5+ years of experience in product security, application security, or a related security engineering role.

• Deep expertise in authentication and authorization — including OAuth 2.0, OIDC, JWT, SAML, RBAC/ABAC models, and session management.

• Hands-on experience securing cloud environments (AWS preferred), including IAM, VPC, container orchestration (EKS/ECS), and infrastructure-as-code.

• Strong understanding of secure software development practices — OWASP Top 10, threat modeling (STRIDE or similar), secure code review, and vulnerability remediation.

• Experience integrating security tooling (SAST, DAST, SCA) into CI/CD pipelines.

• Excellent communication skills — able to articulate security risk clearly to both technical and non-technical stakeholders.

• Proven ability to work cross-functionally in a fast-paced, high-growth engineering environment.

Nice to Have:

• Penetration testing experience, with the ability to conduct or lead internal red team exercises or external pentest engagements.

• Familiarity with payment industry security — PCI DSS, tokenization, EMV, card transaction security.

• Experience at a FinTech, healthcare technology, or other regulated-industry company.

Compensation & Benefits:

• Competitive Base + Bonus

• Generous equity grant

• Medical, vision, and dental benefits

• Fully remote company

• Flexible PTO