Redgate - Product Security Engineer
Requirements
• Hands-on product/application security experience supporting engineering teams in a modern SDLC (requirements, design review, secure coding guidance, release support). • Strong knowledge of the OWASP Top 10 and practical mitigation patterns; familiarity with OWASP ASVS is a plus. • Experience implementing or improving SAST/DAST processes: tool selection/tuning, signal-to-noise reduction, and scalable remediation workflows. • Working understanding of cloud and container security fundamentals in an environment using AWS and Docker (and related CI/CD practices). • Comfort working across a primarily C# ecosystem (with some Java/Python), including the ability to review code and explain security issues clearly to developers. • Ability to translate security risk into actionable engineering priorities—balancing risk, delivery timelines, and operational realities. • You’re pragmatic: you care about real risk reduction, not checkbox compliance or perfect theoretical security. • You communicate clearly and respectfully, able to influence without authority and build trust across multiple product teams. • You’re structured and evidence-driven: you document decisions, measure outcomes, and iterate based on what’s working. • You’re comfortable in ambiguity and can shape an approach when requirements, tooling, or ownership aren’t fully defined yet.
Benefits
• £60,000 to £75,000 subject to experience • Tech / tool stack • C# / .NET (primary engineering ecosystem), React • Java (J2EE), TypeScript, and Python • AWS (cloud infrastructure and services), Docker (containerised workloads) • SAST/DAST tooling (specific products may vary; you’ll help tune and operationalise them) • 30 Days • Onboard into Redgate’s products, SDLC, and delivery rhythms (how work moves from idea → code → deploy). • Get access to core systems and security tooling; understand what’s in place today (SAST/DAST coverage, alert volumes, current processes). • Shadow the Product Security Architect and sit in on a handful of ceremonies (planning/refinement/retro) to understand team dynamics and where security naturally fits. • Triage a small set of findings with guidance (e.g., top recurring SAST issues), focusing on learning severity expectations and remediation patterns. • Start building a knowledge base: common app patterns, approved controls, “how we do security here,” and where to find the right people. • 60 Days • Begin owning a defined slice of AppSec work with supervision (e.g., one product area or a specific SDLC initiative like SAST tuning or DAST onboarding). • Build working relationships with a small set of partner teams and establish a predictable engagement model (intake path, review checklist). • Start contributing to security reviews for new features or higher-risk changes—initially as a second set of eyes, then independently for scoped areas. • Help improve signal-to-noise in SAST/DAST: tune rules, reduce duplicates, and document triage guidance that developers can follow. • Support lightweight threat modelling sessions alongside the Architect (prep, note-taking, translating outcomes into engineering actions). • 90 Days • Independently handle routine AppSec support for agreed scope (e.g., first-pass triage, basic secure design guidance, follow-ups with teams), escalating appropriately. • Deliver tangible process improvements that reduce friction (e.g., clearer severity rubric, a repeatable intake template, a “common findings” fix guide). • Demonstrate steady throughput on findings: consistent triage quality, meaningful developer support, and reduced turnaround time for the scoped area. • Contribute to a secure-by-default library/SDK.
Apply in one click
Upload My Resume
Drop here or click to browse · Tap to choose · PDF, DOCX, DOC, RTF, TXT