Product Security Engineer

As a Product Security Engineer at Engine, you will be a technical strategist responsible for proactively identifying and mitigating security risks across our platform and products. Your primary mission is to ensure we build secure systems by providing expert security analysis, architectural guidance, and process leadership.

Responsibilities

• Conduct comprehensive security architecture and design reviews, ensuring that security is embedded from the start.
• Lead the threat modelling process (e.g., using STRIDE) for new products and features, identifying potential design flaws and defining security controls.
• Manage the end‑to‑end penetration testing lifecycle, from scoping engagements with technical teams to triaging, validating, and driving remediation of findings.
• Analyse and interpret results from security tools (SAST, DAST, vulnerability scanners) to prioritise and address the most critical risks.
• Act as a key security advisor to engineering teams, providing expert guidance on security best practices, vulnerability mitigation, and secure design patterns.
• Translate regulatory requirements (PCI DSS, SOC 2, ISO 27001) into concrete technical controls and implementation plans in collaboration with the GRC team.
• Lead incident response efforts, including investigation and remediation of security breaches.
• Support internal security awareness and training programs and advocate the DevSecOps mindset across our technology teams.

Qualifications

• Significant experience in a security-focused role with a strong emphasis on risk analysis, threat detection, and architectural review.
• Proven expertise in conducting threat modelling and security design reviews for complex, cloud‑native applications (AWS/GCP, Kubernetes).
• Deep understanding of common application and infrastructure vulnerabilities (OWASP Top 10, MITRE ATT&CK) and their mitigation.
• Experience managing penetration testing engagements and working with development teams on remediation.
• Mature understanding of cloud security architecture (AWS, Google Cloud). 
• The ability to read and understand code (e.g., Go, Python) and Infrastructure‑as‑Code (Terraform) to effectively analyse security risks.
• The ability to document security requirements from various stakeholders.
• A practical understanding of how to integrate security into the software development lifecycle.
• Excellent communication skills, with the ability to articulate complex technical risks to diverse audiences.
• A thorough understanding of the incident response process and the principles of Zero Trust architecture.
• A proactive approach to staying updated with the latest security threats, vulnerabilities, and mitigation techniques.

Desirable (but not essential) skills

• Hands‑on experience helping a company achieve and maintain compliance with frameworks like SOC 2, ISO 27001, or PCI DSS.
• Experience in automating security controls and compliance checks against standards and frameworks (including SOC 2, ISO 27001, PCI DSS/3DS).
• Experience performing secure code reviews and using SAST/DAST tools for security approvals.
• Expertise in Kubernetes, securing clusters and meshes (Cilium preferable), networking best practices and RBAC implementation (CKA, CKS qualifications are a plus).
• Container security knowledge, including container image provenance (e.g., Sigstore, Notary) and an in‑depth knowledge of container runtimes.
• Strong understanding of network protocols & practices, firewalls, intrusion detection/prevention systems and WAFs.
• Understanding of integrating security into the software development lifecycle.
• Experience in Cryptography management & enhancements.
• Experience configuring and utilising cloud‑native security logging, monitoring, and detection services.
• Experience with Infrastructure as Code and infrastructure provisioning tools (CloudFormation, Terraform) for analysis and review.
• Scripting and programming skills (e.g., Python, Go) for creating proof‑of‑concepts or small scripts to validate findings.
• Relevant security certifications such as ISC² CC, CISSP, CCSP, CISM, AWS Security Specialist or GCP Professional Cloud Security Engineer.

Benefits

• 33 days holiday (including public holidays when convenient).
• An extra day off for your birthday.
• Annual leave increases with length of service; you may buy or sell up to five extra days.
• 16 hours paid volunteering time a year.
• Salary‑sacrifice pension scheme.
• Life insurance at 4× salary & group income protection.
• Private medical insurance (VitalityHealth) with mental health support and cancer care; partner discounts with Waitrose, Mr & Mrs Smith, Peloton.
• Generous family‑friendly policies.
• Referral‑to‑friend incentive scheme.
• Perkbox membership providing retail discounts, wellness platform and weekly perks.
• Access to initiatives such as Cycle to Work, salary‑sacrifice gym partnerships and electric vehicle leasing.

Engine by Starling is an equal‑opportunity employer. We consider applications without regard to race, religion, national origin, age, sex, gender, gender identity, gender expression, sexual orientation, marital or relationship status, medical condition or disability, military or veteran status or any other characteristic protected by applicable law. Applicants may provide personal data at their own consent and understand how it will be processed in accordance with our Privacy Notice.

#J-18808-Ljbffr…