Senior Software Security Engineer

Job Summary

Senior Software Security Engineer – Remote. Responsible for analysing software designs, implementations, and security controls throughout the software development lifecycle (SDLC). Focus on threat modelling, secure design, testing, vulnerability management, and Dev Sec Ops  integration.

• Perform threat modelling, risk assessments, and architecture reviews to identify and mitigate risk.
• Support engineering teams in defining detailed security requirements to meet compliance and industry best practices.
• Conduct security code reviews for potential vulnerabilities.
• Serve as a subject matter expert, advising engineering and compliance teams on technical product security matters.
• Define and oversee the deployment of Software Composition Analysis (SCA) tools, generating SBOMs to identify known vulnerabilities and license issues.
• Define and oversee automated security testing tools in CI pipelines, including SAST, DAST, and secret detection scanning.
• Perform manual penetration testing of web applications and, when desired, cloud, embedded, OS, or mobile environments.
• Write custom scripts or unit tests to verify vulnerabilities or missing controls.
• Recommend improvements to security scanning tools and processes, and propose new ones.
• Periodically triage findings from automated tools, validating true positives versus false positives and delivering proof‑of‑concept exploits when needed.
• Assess vulnerability risk to prioritize remediation for the business.
• Communicate identified security issues to stakeholders and manage them through the SDLC to ensure resolution.
• Establish and maintain secure coding standards, baseline product security requirements, and general best practices.
• Assist in implementing a secure CI/CD pipeline with Dev Sec Ops  principles to enhance automation.
• Implement automated security controls within CI/CD pipelines.
• Support product security incident response, including root cause analysis, mitigation strategies, incident criteria, and post‑incident lessons.
• Monitor emerging threats, vulnerabilities, and trends to proactively investigate, remediate, and integrate new protections.
• Ensure product compliance with relevant security standards, certifications, and regulations (e.g., OWASP, NIST).

• 5+ years of experience in Security Engineering with a focus on product and/or application security.
• Bachelor’s degree in Computer Science, Information Security, or a related technical field.

• In‑depth knowledge of Linux and Docker container‑based infrastructures, including orchestration (e.g., Kubernetes).
• Working knowledge of authentication, authorization, applied cryptography, security vulnerabilities, and remediation techniques.
• Significant software development experience; experience in Go (primary backend language), Type Script/JavaScript, C/C++, Python, and Bash is desirable.
• Knowledge of web protocols (HTTP, REST APIs, DOM, CSP), networking protocols (IP, TCP, UDP) and security protocols (TLS).
• Experience performing threat modeling with common threat vectors and frameworks.
• Strong knowledge of security principles, best practices, and industry standards (NIST, ISO 27001, CIS Controls, OWASP ASVS and Testing Guides).
• Familiarity with industry‑standard security frameworks such as OWASP and NIST.
• Experience with security tools (SAST, DAST, IAST, SCA).
• Exceptional analytical and investigative skills, including root‑cause analysis.
• Knowledge of current and emerging threats and exploitation techniques.
• Experience with CI/CD pipeline integration, security tools, and secure SDLC.
• Experience with cloud infrastructure (AWS, Azure, or Google Cloud) and best practices for securing cloud environments.

• Familiarity with security considerations for AI/ML systems.
• Understanding of distributed systems design, implementation, and operation.
• Understanding of privacy threats and controls, including tailoring best practices to specific product scenarios.
• Exploit development experience and knowledge of conditions needed to trigger vulnerability types.
• Experience with enterprise log collection and analysis platforms (e.g., Splunk, OSQuery).