Blockchain.com - Senior Product Security Engineer

• Strategic Security Partnership: Act as a senior security engineer for the different product lines like Consumer, OTC. You will own the security gates for major feature releases and ensure security is integrated from the design phase. • Strategic Security Partnership: • Secure SDLC Operator: Operate and improve the secure development lifecycle. This includes orchestrating SAST/SCA/DAST, streamlining SARIF ingestion, PR review standards, CI/CD security automation, and vulnerability triage workflows. • Secure SDLC Operator: • AI-Driven SDLC Innovation: Research, architect, and safely embed cutting-edge AI utilities and Large Language Model (LLM) agents directly into our secure development lifecycle. • AI-Driven SDLC Innovation: • Threat Modelling & Architecture Reviews: Lead STRIDE/attack-tree threat models for sensitive flows including authentication, payment, custody, reconciliation and sign off on security architecture for critical designs. • Threat Modelling & Architecture Reviews: • Product Security Governance & Standards: Translate technical risks and regulatory demands into clear security policies. You will own the creation and upkeep of our Application Security Standards, reference architectures, and compliance-driven secure coding baselines. • Product Security Governance & Standards: • Bug Bounty Leadership: Oversee the technical triage and remediation strategy for our Bug Bounty program. You will turn external researcher findings into internal architectural hardening projects. • Bug Bounty Leadership: • Release Reviews: Perform deep-dive manual code reviews of security-sensitive Pull Requests, mentor engineers on secure coding patterns, and provide pragmatic remediation guidance. • Release Reviews: • Advanced Code Auditing: Conduct deep-dive manual and automated code reviews on highly sensitive Java and Kotlin backend Pull Requests. • Advanced Code Auditing: • Security Debt & Remediation Negotiation: Produce data-driven Security Debt packs and negotiate remediation into engineering roadmaps. You will negotiate remediation timelines with Product Owners and Engineering leadership, backed by risk-based data. • Security Debt & Remediation Negotiation: • Detection & Telemetry Integration: Define application runtime signals (business-logic anomalies, auth anomalies, reconciliation mismatches) and work with SecOps to instrument logs and alerts. • Detection & Telemetry Integration: • Testing & Automation: Build and maintain product-level test harnesses, fuzzing/property tests and CI checks to prevent regressions for business-critical flows. • Testing & Automation: • Incident Response Support: Provide product-level Incident Response expertise like test forensic runbooks, support reproduction of payment/settlement incidents, and advise on containment/remediation whenever needed. • Incident Response Support • Metrics & Risk Visibility: Define and own the Product Security metrics (e.g., MTTR for critical vulnerabilities, security debt burn-down, and defect density). You will translate these KPIs into high-level risk reports for the Head of Security and Engineering leadership to drive data-backed resourcing decisions. • Metrics & Risk Visibility: • People & Process: Coach junior product security engineers and security champions. You will assist the Product Security Lead to define hiring standards and capability plans. • People & Process: • Must-Haves • 4+ years total security engineering experience with at least 3+ years focused specially in application/product security or equivalent. • Experience with Web, Mobile, Cloud, Infrastructure Pentests and Red Teaming (e.g., phishing) • Proven track record of shipping security automation using CodeQL/GHAS, Snyk, or similar. You should be intimately familiar with the SARIF ecosystem and ASPM workflows. • Expert-level ability to audit and propose fixes in Kotlin/Java, TypeScript/JS, Python, and familiarity with containerised deployments (Kubernetes). • Strong threat modeling experience and pragmatic architecture guidance for high-stakes financial flows (AuthN/AuthZ, Cryptography, Payments). • Experience building CI checks, test harnesses and lightweight fuzzing/property tests. • Excellent stakeholder skills — able to negotiate remediation with Engineering Directors and Product owners, balancing security requirements with business velocity. • Nice-to-haves • Prior fintech/Trading/OTC product security experience or familiarity with custody/signing patterns. • Practical experience designing or deploying AI-assisted security tooling, leveraging LLMs for automated software patch generation, or evaluating vulnerability detection agents within enterprise developer pipelines. • Prior experience operating alongside GRC frameworks, authoring developer-facing security policies from scratch, and building automated policy-as-code gateway integrations. • Public track record of CVEs, security research, or open-source contributions to security tooling. • Advanced credentials such as OSCP, OSWE, CISSP or equivalent. • Experience with on-chain/off-chain integration, payment reconciliation, or smart contract security. • Familiarity with vulnerability management platforms (DefectDojo, Dependabot orchestration) and GRC/Gateway integrations. • Prior contributions to security automation and developer tooling (open source or internal).