Read and write real code. Review pull requests for security-relevant changes and contribute fixes directly rather than filing tickets and walking away.
Manually assess applications and APIs — find, exploit, and prove real vulnerabilities, and distinguish genuine risks.
Build secure building blocks: reviewing libraries, safe wrappers, auth patterns, and paved-road templates so the easy way is the secure way.
Perform threat modelling and design reviews on new features, working from how the system actually behaves, not a checklist.
Automate security into CI/CD (Octopus deploy/Azure DevOps).
Fix vulnerabilities; When you find a bug, ask what pattern allowed it and eliminate the pattern.
Support incident investigation and remediation for application security issues and get hands-on with logs, code, and root cause.
Level up engineers through code, examples, and quarterly training.
Help shape standards and priorities for the wider engineering teams (this is a small team; you'll have real influence, but the day job is engineering).
Stay updated with the latest security threats, vulnerabilities, and industry trends to proactively address potential risks.
Advocate for security best practices and influence engineering culture to prioritize security.
Evaluate and adopt new security tools and technologies to enhance the security posture.
Participate incident response efforts for application security incidents, including investigation and remediation.
Collaborate with compliance teams to ensure applications meet regulatory and industry-specific security requirements (e.g., GDPR, ISO 27001).
Implement and oversee security tools and technologies such as SAST, and DAST solutions.
Facilitate security architecture reviews and threat modelling sessions for new and existing applications.
Report on security metrics and KPIs to senior management, providing insights into the security posture and areas for improvement.
Drive continuous improvement, fostering a culture of security awareness and proactive risk management.
Coordinate with third-party vendors and security consultants as needed for specialised assessments or audits.
Requirements
Strong software engineering background — you've written and shipped production code, ideally in .NET and/or TypeScript/React, and you can drop into an unfamiliar codebase and reason about it.
Solid application security experience securing web apps and APIs.
Demonstrated ability to find vulnerabilities manually and explain both the exploit and the fix.
Comfortable integrating and, crucially, tuning security testing in CI/CD so the output is trustworthy.
You've influenced engineers as a peer, through code and pragmatism.
Certifications (Preferred): Offensive/practical certs like OSCP, or an equivalent
Cloud security depth in AWS and/or Azure; container/orchestration security.
Familiarity with GDPR, ISO 27001, SOC 2 as constraints to engineer around.
Expert knowledge of application security principles, practices, and frameworks such as OWASP Top Ten, SANS/CWE Top 25.
Proficiency with security testing tools like Burp Suite, OWASP ZAP, Fortify, Checkmarx, SonarQube or similar.
Strong understanding of secure coding practices in languages and frameworks such as JavaScript, TypeScript, ReactJS, .NET, and others.
Familiarity with DevSecOps practices and integrating security tools into CI/CD pipelines.
Knowledge of authentication and authorization protocols such as OAuth, SAML, JWT, and multi-factor authentication.
Understanding of cloud security principles and experience with cloud platforms like AWS and/or Azure.
Experience with compliance standards and regulations like GDPR, ISO 27001, PCI DSS, and SOC 2.
Knowledge of encryption standards, key management, and data protection strategies.
Experience with incident response processes and security event management.
Excellent communication skills, adept at conveying security concepts to both technical and non-technical stakeholders.
High attention to detail with a commitment to maintaining the highest standards of security and quality.
Proactive and strategic thinker, able to anticipate security challenges and stay ahead of emerging threats.
Collaborative mindset, thriving in a cross-functional team environment and building strong relationships across departments.
Passionate about security, with a continuous desire to learn and stay updated on the latest industry trends and threats.
Resilient and adaptable, capable of handling high-pressure situations and making sound decisions during security incidents.
Ethical and trustworthy, maintaining the highest level of integrity in handling sensitive information.