Resumo da vaga

Senior Software Security Engineer

Requisitos e responsabilidades

Conteúdo da vaga extraído em seções para revisão mais rápida.

Security Design and Implementation

  • Perform threat modelling, risk assessments, and architecture reviews to identify and mitigate risk.
  • Perform requirements analysis, security audits, and provide detailed mitigation recommendations specifically for Cloud and Container environments.
  • Design, review, and enforce Key Management and Identity and Access Management (IAM) controls.
  • Support the engineering teams on definition on detailed security requirements to meet compliance requirements and industry best practices.
  • Perform security code reviews looking for potential security vulnerabilities.
  • Act as a subject matter expert to advise and answer questions from engineering and compliance teams on technical product security matters.

Security Testing

  • Define and oversee the deployment of Software Composition Analysis (SCA) tools to compile SBOMs of software components, helping to identify known vulnerabilities and license compliance violations.
  • Define and oversee the deployment of automated security testing tools into CI pipelines, including Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), and Secret Detection scanning tools.
  • Apply a basic level of knowledge and experience in manual network and application security testing to validate controls.
  • Write custom scripts or unit test cases to check for vulnerabilities or broken/missing security controls.
  • Recommend improvements to existing security scanning tools and processes, and propose new ones.

Vulnerability Management

  • Drive vulnerability management with a strong focus on Kubernetes (K8s) infrastructure and container images.
  • Periodically triage the findings from the automated security scanning tools.
  • Validate potential security vulnerabilities to determine whether they are actual true positives, or false positives (i.e. non-applicable) in the product context. Write proof of concept exploits when necessary to achieve this.
  • Assess the risk of vulnerabilities and threats in order to help the business determine their remediation priority order.
  • Communicate the identified security issues to engineering and compliance stakeholders, and manage them throughout the SDLC process to ensure they are properly addressed.

SDLC and DevSecOps Integration

  • Establish and maintain secure coding standards, baseline product security requirements and more general best practices to provide guidance to development teams.
  • Assist the program area with implementing a secure Continuous Integration/Continuous Delivery (CI/CD) pipeline utilizing DevSecOps principles and practices to increase automation.
  • Implement automated security controls as part of CI/CD pipelines.

Incident Response and Compliance

  • Support product security incident response processes, including root cause analysis (identify the affected product components, data, and the overall impact level) and definition of mitigation strategies.
  • Apply Detection Engineering principles, including the determination of baseline application security parameters and the creation/maintenance of application-level rules for IDS/IPS.
  • Define clear criteria and protocols for security incident response, including creation of technical runbooks.
  • Conduct post-incident analysis to compile lists of lessons learned, and measures to prevent similar incidents from reoccurring, and refine response strategies.
  • Monitor emerging security threats, vulnerabilities, and trends to proactively investigate, remediate, and integrate new protections.
  • Ensure products comply with relevant security standards, certifications, and regulations (e.g., OWASP, NIST).

Experience and Education

  • 7+ years of experience in Security Engineering with a focus on product security and/or application security.
  • Bachelor’s degree in Computer Science, Information Security, or a related technical field.
  • Experience leading cybersecurity process change and mentoring on secure by design principles.
  • Partnering with engineering teams to ensure secure coding practices and adoption of industry best practices.​
  • Proactively ​monitor emerging security threats, vulnerabilities, and trends to investigate, remediate, and integrate new protections.
  • Drive continuous improvement of product security posture by identifying gaps and implementing solutions.

Technical Skills

  • Strong knowledge of Cloud and Container security, including orchestration (e.g. AWS, Azure, Google Cloud, Docker, Kubernetes)
  • Vulnerability Management lifecycle experience, specifically for cloud infrastructure and container images.
  • Strong understanding of Key Management and IAM controls.
  • Proven experience in designing and implementing threat modelling programs (e.g., STRIDE, PASTA, DREAD).
  • Exceptional analytical and investigative skills, with hands-on experience in root cause analysis.
  • In-depth knowledge of techniques, standards, and state-of-the-art authentication and authorization technologies, applied cryptography, security vulnerabilities and remediations.
  • Strong knowledge of web-related protocols and technologies (HTTP, REST APIs), networking protocols (IP, TCP, UDP), and security protocols (TLS).
  • Significant software development experience. Experience in Go and C#.
  • Strong knowledge of security principles, best practices, and industry standards, such as NIST, ISO 27001, and CIS Critical Security Controls, OWASP ASVS and Testing Guides.
  • Experience designing and implementing processes to integrate SCA, SAST, DAST, IAST, and RASP tooling as part of the SDLC and driving adherence.
  • Experience with CI/CD pipeline, security tools integration.
  • Experience with defining and enforcing technical security standards and controls.

Advanced Expertise

  • Deep vulnerability analysis, research, and development of exploits to validate findings.
  • Background in Web Application security.
  • Advanced manual penetration testing skills in the domains of cloud infrastructure, web applications, embedded/OS, or mobile.
  • Familiarity with security considerations for AI/ML systems is desirable.
  • Understanding of distributed systems design, implementation and operation.
  • Understanding of privacy threats and controls, including on how to adapt generic best practices to specific scenarios in the product by providing detailed specifications to stakeholders.
  • Experience with SIEM, enterprise log collection and analysis platforms (e.g., Splunk, OSQuery).

Education and Certifications

  • Master's degree or equivalent experience preferred.
  • Cloud focus security certifications is a strong plus, especially CCAK, CCSP, AWS Certified Security - Specialty.
  • Additional certifications are also relevant including OSCP, SANS/GIAC, CCSP, and CISSP.

Soft Skills and Leadership

  • Excellent verbal and written communication, with the ability to translate complex security concepts to technical and non-technical stakeholders.
  • Demonstrated ability to design, document, and implement new security processes.
  • Experience in a high-growth technology environment or SaaS business.
  • Ability to remain calm under pressure, especially during incidents or audits.

Soft Skills and Leadership

  • Competitive salary and bonus schemes
  • Two weeks additional pay per year (holiday bonus).
  • 25 days holiday entitlement + bank holidays.
  • Attractive defined contribution pension scheme.
  • Private medical insurance.
  • Employee stock purchase plan.
  • Flexible working options.
  • Life assurance.
  • Enhanced maternity and paternity pay.
  • Career development support and wide ranging learning opportunities.
  • Employee health and wellbeing support EAP, wellbeing guidance etc.
  • Carbon neutral initiatives/goals.
  • Corporate social responsibility initiatives including support for volunteering days.
  • Well known companies discount scheme.
Vagas similares

Mantenha uma lista reserva.

Ver stack
FocoSoftware Security EngineerÁrea da vaga
Sinal de senioridadeSeniorNível do candidato
StackAWS, Azure, CI/CDSkills principais
Localização1 país aceitoElegibilidade

Stack

Use estas tags para comparar vagas remotas similares.

Elegibilidade de localização

Candidatos devem aplicar apenas quando o país do perfil estiver listado aqui.

Seu perfilPaís não definidoEntre para comparar seu país com esta vaga.

Fluxo de contratação

O WithMira mostra a vaga e depois envia candidatos para a aplicação da empresa.

1Confira fit da vaga, stack e elegibilidade de localização no WithMira.
2Abra a página de aplicação da empresa pelo link rastreado.
3Salve a vaga ou assine oportunidades similares antes de sair.
Aplicar no site da empresaSite da empresaAbrir link