Junior Product Security Engineer

The Role

As a Product Security Engineer Analyst, you will help embed security into our product development lifecycle, handle vulnerability management, and collaborate across teams to improve security practices across Trainline’s digital products.

What You’ll Do

Support Secure Development

• Support the integration of security practices across the product development lifecycle, helping teams design and build secure services and features.
• Work with teams to promote secure-by-default and a shift‑left approach to security, ensuring security considerations are addressed early to reduce the risk and cost of fixing issues later.
• Help integrate security checks (e.g., SAST, SCA, secret scanning) into CI/CD workflows to identify risks during development.
• Assist in triaging and analysing findings from automated tooling, validating results, false positives, and partnering with engineering teams to prioritise and remediate security risks.

Vulnerability Triage & Tracking

• Review and triage incoming security issues from scans and bug reports.
• Record, prioritise and help track remediation with developers and platform teams.
• Contribute to vulnerability monitoring dashboards and reports.

Learning & Threat Awareness

• Participate in threat modelling sessions and documentation efforts.
• Stay updated on common application vulnerabilities and security best practices.
• Shadow senior engineers in code reviews and security design discussions.

Security Advocacy

• Help promote secure coding principles across teams by sharing guidance and resources.
• Help improve developer adoption of security tools and best practices.
• Support delivery of internal training sessions and documentation updates.

Compliance and Standards

• Assist with aligning product security practices with relevant security frameworks and standards (e.g., OWASP, NIST, ISO 27001, GDPR, PCI DSS).
• Support regulatory compliance efforts and maintain evidence to meet audit requirements.

Who You Are

You are curious about how systems work and how they can be secured; bringing an aware consumer mindset that considers the intersection of technology, security, and product design.

Must Have

• Relevant education, training, or practical experience in cyber/information security or software engineering/development.
• Understanding of common security risks affecting applications, APIs, and distributed systems.
• Familiarity with secure coding principles, the software development lifecycle (SDLC) and threat modelling concepts.
• Exposure to security testing approaches such as SAST, DAST, or dependency scanning.
• Basic programming or scripting ability (e.g., Python, JavaScript, or similar) to support automation, analysis, or tooling.
• Interest in building or improving security tooling, automation, or developer workflows to help scale security across engineering teams.
• Strong analytical and problem‑solving skills, with the ability to analyse and assess security risks in application designs, code, or deployed systems.
• Ability to collaborate effectively with engineers and communicate security concerns clearly.

Nice to Have

• Bachelor’s degree in Computer Science, Cybersecurity, Information Security, or a related technical field.
• Experience using security tooling such as Burp Suite, OWASP ZAP, Semgrep, Checkmarx, OxSecurity, or Snyk.
• Exposure to security reviews, threat modelling, penetration testing concepts, or risk assessments.
• Familiarity with security frameworks and standards such as OWASP, ISO 27001, PCI DSS, or GDPR.
• Familiarity with modern development environments, including AWS, CI/CD security checks, and API security testing.
• Scripting experience (Python/Bash) and exposure to AI or martech ecosystems is a plus.
• Experience gained through security coursework, certifications, personal projects, security research, CTF competitions, bug bounty programs, or open‑source contributions is highly valued.

What You’ll Get

• The opportunity to work on large‑scale platforms used by millions of travellers across the UK and Europe, helping secure systems that support billions of pounds in annual ticket sales.
• Hands‑on experience across modern product security practices, including threat modelling, secure design reviews, software supply chain security, AI security considerations, and security automation within CI/CD pipelines.
• The chance to collaborate closely with experienced security, platform, and product engineers, gaining exposure to real‑world security challenges in a modern engineering environment.
• Opportunities to contribute to security research, experimentation, and tooling, helping improve Trainline’s security capabilities and developer security experience.
• Exposure to broader security initiatives across the organisation, including collaboration with other security functions and engagement with partners or vendors where relevant.
• A supportive environment focused on mentorship, continuous learning, and career growth, including access to learning budgets, training resources, and professional development opportunities.

We know that having a diverse team makes us better and helps us succeed. And we mean all forms of diversity – gender, ethnicity, sexuality, disability, nationality and diversity of thought. That’s why we’re committed to creating inclusive places to work, where everyone belongs and differences are valued and celebrated.

#J-18808-Ljbffr