Product Security Engineer – Lead

London, England, United Kingdom

Apply with AI Apply

Not SpecifiedCompensation

Senior (5 to 8 years), Expert & Leadership (9+ years)Experience Level

Full TimeJob Type

UnknownVisa

Biotechnology, Software, Cloud ComputingIndustries

Requirements

Candidates should have 7+ years of experience in Product Security, Application Security, or a related security engineering role. Deep expertise in secure software development, secure coding practices, and OWASP Top 10 / CWE 25 is required. Strong technical proficiency in modern programming languages such as Python, Java, JavaScript, Go, or C# is necessary. Experience with cloud-native security (AWS, Azure, GCP) and securing containerized environments (Docker, Kubernetes) is essential. Proficiency in security testing tools like Burp Suite, Endor, and Semgrep is expected. A strong background in network security, including firewalls, IDS/IPS, VPNs, and secure network design, is needed. Hands-on experience with CI/CD security automation (GitHub Actions, Jenkins, GitLab CI, etc.) is required. Familiarity with infrastructure-as-code security (Terraform, CloudFormation) and cloud security posture management is beneficial. A strong understanding of identity & access management (OAuth, OIDC, SAML, JWT) and API security is important. Knowledge of industry frameworks like NIST, ISO 27001, and SOC 2 is required. Experience driving developer enablement and security training initiatives is also needed, along with excellent communication and collaboration skills.

Responsibilities

The Product Security Engineer will embed security within the software development lifecycle, conduct structured threat modeling and security assessments for new features, architectures, and services. They will work closely with engineering teams to identify and remediate vulnerabilities from various scans, conduct secure code reviews and architectural security assessments, and enhance security automation capabilities by integrating security testing tools into CI/CD pipelines. Facilitating internal and external penetration testing activities, collaborating with engineering teams to build security awareness and develop Security Champions, and supporting Smarsh SOC and security incident response are key duties. Ensuring alignment with regulatory requirements (SOC 2, ISO 27001, etc.) and supporting audit activities are also part of the role.

Skills

Product Security

Secure SDLC

Threat Modeling

Security Design Reviews

Vulnerability Management

Remediation

SAST

DAST

SCA

Container Security

Cloud Security

Secure Code Review

DevOps

Cloud-First

Smarsh

Archiving and compliance solutions provider

About Smarsh

Smarsh provides archiving and compliance solutions specifically designed for financial services, government agencies, and other regulated industries. Their main product is a cloud-based archive that allows organizations to securely store, search, and manage their communications data, including emails, text messages, and social media interactions. This system helps businesses meet complex security, data privacy, and regulatory requirements. Smarsh differentiates itself from competitors by offering a scalable Software-as-a-Service (SaaS) model that caters to both large enterprises and smaller organizations, ensuring that clients can adapt to evolving regulations. Their goal is to help organizations efficiently manage their communication data, identify risks, and maintain compliance, particularly through tools like Connected Capture for Microsoft Teams, which supports remote workforces.

Portland, OregonHeadquarters

2001Year Founded

$42.4MTotal Funding

BUYOUTCompany Stage

Enterprise Software, Cybersecurity, Financial ServicesIndustries

1,001-5,000Employees