Application Security Specialist

About the role

The Application Security Specialist, working in our cyber testing team, plays a key role in protecting Royal London’s internally developed software by identifying, assessing and helping remediate application security risks early in the delivery lifecycle. This role is ideal if you come from an application development background and you’re looking to build a rewarding career in cyber security and secure software engineering, with support from a collaborative team.

You will partner closely with development teams, penetration testers and platform specialists to embed secure‑by‑design principles, interpret findings from application security tools, and turn them into clear, practical actions. Drawing on your development experience, you’ll help translate security concepts into meaningful, risk‑based decisions—enabling teams to deliver with confidence and strengthening the organisation’s overall cyber resilience.

Responsibilities

• Collaborate with development and engineering teams to embed application security principles and guardrails across the software development lifecycle (SDLC).
• Operate, manage and interpret findings from application security tooling such as SAST, DAST and Software Composition Analysis (SCA), helping teams understand what matters most.
• Identify, analyse and prioritise application security vulnerabilities based on exploitability, business impact and exposure, so effort is focused where it will make the biggest difference.
• Provide clear, actionable remediation guidance and support teams through to closure, celebrating progress and improving outcomes over time.
• Conduct penetration testing using application‑level insight, ensuring coverage of the most exposed and critical attack paths.
• Support teams to assess application design and implementation risks through design reviews, code‑assisted reviews and threat‑informed testing.
• Contribute to the definition and continuous improvement of secure coding standards, application security policies and practical, developer‑friendly guidance.
• Help shift security earlier (‘shift‑left’) in delivery pipelines, reducing exploitable weaknesses before deployment and making secure delivery feel simpler.
• Produce concise, accurate security findings and risk summaries tailored to both technical and non‑technical stakeholders.
• Contribute to the wider Attack Surface Management function through consultation, constructive challenge, and continuous improvement.

About you

• A strong background in application development, with hands‑on experience across the software development lifecycle.
• Experience working in Agile/Scrum environments, using development tooling such as GitHub, Azure DevOps, Jira or Confluence.
• Practical exposure to application security testing approaches and tools (e.g. SAST, DAST, SCA), with the ability to interpret results and explain them in a way that helps teams take action.
• Understanding of common application and web security vulnerabilities (e.g. OWASP Top 10) and how they show up in real‑world codebases.
• Understanding of core cyber security principles and how they apply to modern application architectures.
• Ability to translate technical security findings into clear, pragmatic risk and remediation guidance that supports developers in making good decisions.
• Comfortable collaborating with engineers and influencing secure outcomes through expertise, empathy and credibility.
• Demonstrable knowledge of penetration testing techniques and tooling, with a genuine interest in continuing to learn through collaboration, mentoring and cross‑training.
• Strong written and verbal communication skills, able to engage confidently and respectfully with both technical and non‑technical audiences.
• Experience working in large, complex or regulated environments (financial services is desirable but not essential).
• Curious mindset with a proactive approach to learning and self‑development, staying current with emerging application‑layer threats and sharing knowledge with others.
• Qualifications or certifications such as Security+, CEH, OSCP, OSWE or similar are beneficial, but not required—equivalent experience and a willingness to learn matter just as much.

Benefits

We’ve always been proud to reward employees by offering great workplace benefits such as 28 days annual leave in addition to bank holidays, an up to 14% employer matching pension scheme and private medical insurance.

#J-18808-Ljbffr