Application Security Engineer

Let’s be honest: most “application security” roles either sit too far from delivery… or turn into checkbox exercises.

This one doesn’t.

We’re looking for a Product Security Engineer who wants to be embedded with engineers, shaping how secure software is actually built - not just reviewing it after the fact.

You’ll sit within Cyber Security, but day-to-day you’ll be part of the Digital team, working shoulder-to-shoulder with developers, product managers, architects and DevOps engineers.

Your job? Make security the default, not the blocker.

The Role (In Plain English)

You’ll be the go-to person for application and product security across the full SDLC - from early design conversations through to production and beyond.

This is a hands‑on role. You’ll threat model with teams, review designs, help fix vulnerabilities, improve pipelines, and continuously raise the bar for how secure our products are.

You won’t be throwing reports over the fence. You’ll be in the room when decisions are made.

What You’ll Be Doing:

Owning product & application security

• Driving security across requirements, design, build, test, deploy and operate.
• Defining secure coding standards and application security best practice.
• Running threat modelling and security design reviews.
• Identifying, prioritising and managing application security risk.
• Supporting secure architecture decisions for cloud-native and SaaS solutions.
• Working directly with developers to embed security into their workflows.
• Helping teams remediate vulnerabilities - hands‑on, pragmatic, and fast.
• Creating security patterns, reference architectures and reusable components.
• Delivering clear, practical application security guidance and training.

Cloud & platform security (Azure)

• Ensuring secure design and configuration of Azure-hosted applications.
• Reviewing use of Azure services (App Services, Functions, Storage, Key Vault, Identity, etc.).
• Supporting secure CI/CD pipelines and DevSecOps practices.
• Helping define cloud security standards and guardrails.

You’ll need:

• Experience as a Product Security Engineer, Application Security Engineer or similar.
• A solid grasp of secure SDLC and DevSecOps.
• Experience with Threat Modelling (STRIDE or equivalent)
• Hands‑on experience with SAST, DAST and SCA tools.
• Strong knowledge of common vulnerabilities (OWASP Top 10).
• Experience securing cloud-hosted applications (especially Azure).
• Understanding of modern architectures: APIs, microservices, CI/CD.
• The ability to explain security risk without scaring or confusing people.

Nice to have (not essential):

• Salesforce security or integration experience.
• Container security (Docker / Kubernetes).
• Identity & access knowledge (OAuth2, OIDC, Azure AD).
• Experience in regulated environments or frameworks like ISO 27001 or NIST.

If you’re a hands‑on application security specialist who wants to make a real impact - not just write policies - this is one worth talking about.

#J-18808-Ljbffr