Senior Product Security Engineer

United Kingdom·Londonsenior

Product Security EngineerCybersecurity

0 views0 saves0 applied

Apply Now

Quick Summary

Key Responsibilities

Act as a senior security engineer for the different product lines like Consumer, OTC.

Technical Tools

Product Security EngineerCybersecurity

Responsibilities

~2 min read

→Strategic Security Partnership: Act as a senior security engineer for the different product lines like Consumer, OTC. You will own the security gates for major feature releases and ensure security is integrated from the design phase.
→Secure SDLC Operator: Operate and improve the secure development lifecycle. This includes orchestrating SAST/SCA/DAST, streamlining SARIF ingestion, PR review standards, CI/CD security automation, and vulnerability triage workflows.
→AI-Driven SDLC Innovation: Research, architect, and safely embed cutting-edge AI utilities and Large Language Model (LLM) agents directly into our secure development lifecycle.
→Threat Modelling & Architecture Reviews: Lead STRIDE/attack-tree threat models for sensitive flows including authentication, payment, custody, reconciliation and sign off on security architecture for critical designs.
→Product Security Governance & Standards: Translate technical risks and regulatory demands into clear security policies. You will own the creation and upkeep of our Application Security Standards, reference architectures, and compliance-driven secure coding baselines.
→Bug Bounty Leadership: Oversee the technical triage and remediation strategy for our Bug Bounty program. You will turn external researcher findings into internal architectural hardening projects.
→Release Reviews: Perform deep-dive manual code reviews of security-sensitive Pull Requests, mentor engineers on secure coding patterns, and provide pragmatic remediation guidance.
→Advanced Code Auditing: Conduct deep-dive manual and automated code reviews on highly sensitive Java and Kotlin backend Pull Requests.
→Security Debt & Remediation Negotiation: Produce data-driven Security Debt packs and negotiate remediation into engineering roadmaps. You will negotiate remediation timelines with Product Owners and Engineering leadership, backed by risk-based data.
→Detection & Telemetry Integration: Define application runtime signals (business-logic anomalies, auth anomalies, reconciliation mismatches) and work with SecOps to instrument logs and alerts.
→Testing & Automation: Build and maintain product-level test harnesses, fuzzing/property tests and CI checks to prevent regressions for business-critical flows.
→Incident Response Support: Provide product-level Incident Response expertise like test forensic runbooks, support reproduction of payment/settlement incidents, and advise on containment/remediation whenever needed.
→Metrics & Risk Visibility: Define and own the Product Security metrics (e.g., MTTR for critical vulnerabilities, security debt burn-down, and defect density). You will translate these KPIs into high-level risk reports for the Head of Security and Engineering leadership to drive data-backed resourcing decisions.
→People & Process: Coach junior product security engineers and security champions. You will assist the Product Security Lead to define hiring standards and capability plans.

4+ years total security engineering experience with at least 3+ years focused specially in application/product security or equivalent.
Experience with Web, Mobile, Cloud, Infrastructure Pentests and Red Teaming (e.g., phishing)
Proven track record of shipping security automation using CodeQL/GHAS, Snyk, or similar. You should be intimately familiar with the SARIF ecosystem and ASPM workflows.
Expert-level ability to audit and propose fixes in Kotlin/Java, TypeScript/JS, Python, and familiarity with containerised deployments (Kubernetes).
Strong threat modeling experience and pragmatic architecture guidance for high-stakes financial flows (AuthN/AuthZ, Cryptography, Payments).
Experience building CI checks, test harnesses and lightweight fuzzing/property tests.
Excellent stakeholder skills — able to negotiate remediation with Engineering Directors and Product owners, balancing security requirements with business velocity.

Prior fintech/Trading/OTC product security experience or familiarity with custody/signing patterns.
Practical experience designing or deploying AI-assisted security tooling, leveraging LLMs for automated software patch generation, or evaluating vulnerability detection agents within enterprise developer pipelines.
Prior experience operating alongside GRC frameworks, authoring developer-facing security policies from scratch, and building automated policy-as-code gateway integrations.
Public track record of CVEs, security research, or open-source contributions to security tooling.
Advanced credentials such as OSCP, OSWE, CISSP or equivalent.
Experience with on-chain/off-chain integration, payment reconciliation, or smart contract security.
Familiarity with vulnerability management platforms (DefectDojo, Dependabot orchestration) and GRC/Gateway integrations.
Prior contributions to security automation and developer tooling (open source or internal).