Product Security Engineer

Requirements

• Hands-on product/application security experience supporting engineering teams in a modern SDLC (requirements, design review, secure coding guidance, release support).
• Strong knowledge of the OWASP Top 10 and practical mitigation patterns; familiarity with OWASP ASVS is a plus.
• Experience implementing or improving SAST/DAST processes: tool selection/tuning, signal-to-noise reduction, and scalable remediation workflows.
• Working understanding of cloud and container security fundamentals in an environment using AWS and Docker (and related CI/CD practices).
• Comfort working across a primarily C# ecosystem (with some Java/Python), including the ability to review code and explain security issues clearly to developers.
• Ability to translate security risk into actionable engineering priorities—balancing risk, delivery timelines, and operational realities.
• You’re pragmatic: you care about real risk reduction, not checkbox compliance or perfect theoretical security.
• You communicate clearly and respectfully, able to influence without authority and build trust across multiple product teams.
• You’re structured and evidence-driven: you document decisions, measure outcomes, and iterate based on what’s working.
• You’re comfortable in ambiguity and can shape an approach when requirements, tooling, or ownership aren’t fully defined yet.

What the job involves

• As a Product Security Engineer, you’ll embed security into the software development lifecycle across multiple product teams.
• You’ll help teams build, ship, and operate secure software by defining requirements, improving detection and prevention (SAST/DAST), assisting teams with application security governance, and running threat modelling.
• Partner with engineering and product teams to define and operationalise security requirements across the SDLC (from design to release).
• Audit application code for weaknesses and vulnerabilities.
• Own or co-own application security governance practices: secure-by-default standards, patterns, guardrails, and exceptions/risk acceptance.
• Drive SAST/DAST adoption and quality: tool tuning, triage workflows, severity calibration, and “fix-forward” enablement.
• Support adoption of threat modelling for new features, architectural changes, and high-risk services—turning findings into actionable engineering work.
• Provide product security guidance for cloud-native environments (AWS + containerised workloads), with an emphasis on secure service design and deployment practices.
• Build strong relationships with product teams through clear communication, coaching, and security enablement.
• Review and assist in the development of engineering policies aligned with security best practices.
• Contribute secure shared libraries/paved-road components or perform targeted security testing/pentesting to validate controls.
• Work with product teams to support implementation of AI, including LLMs, SLMs, and MCP.

30 Days

• Onboard into Redgate’s products, SDLC, and delivery rhythms (how work moves from idea → code → deploy).
• Get access to core systems and security tooling; understand what’s in place today (SAST/DAST coverage, alert volumes, current processes).
• Shadow the Product Security Architect and sit in on a handful of ceremonies (planning/refinement/retro) to understand team dynamics and where security naturally fits.
• Triage a small set of findings with guidance (e.g., top recurring SAST issues), focusing on learning severity expectations and remediation patterns.
• Start building a knowledge base: common app patterns, approved controls, “how we do security here,” and where to find the right people.

60 Days

• Begin owning a defined slice of AppSec work with supervision (e.g., one product area or a specific SDLC initiative like SAST tuning or DAST onboarding).
• Build working relationships with a small set of partner teams and establish a predictable engagement model (intake path, review checklist).
• Start contributing to security reviews for new features or higher-risk changes—initially as a second set of eyes, then independently for scoped areas.
• Help improve signal-to-noise in SAST/DAST: tune rules, reduce duplicates, and document triage guidance that developers can follow.
• Support lightweight threat modelling sessions alongside the Architect (prep, note-taking, translating outcomes into engineering actions).

90 Days

• Independently handle routine AppSec support for agreed scope (e.g., first-pass triage, basic secure design guidance, follow-ups with teams), escalating appropriately.
• Deliver tangible process improvements that reduce friction (e.g., clearer severity rubric, a repeatable intake template, a “common findings” fix guide).
• Demonstrate steady throughput on findings: consistent triage quality, meaningful developer support, and reduced turnaround time for the scoped area.
• Contribute to a secure-by-default library/SDK.

Tech / tool stack

• C# / .NET (primary engineering ecosystem), React, Java (J2EE), TypeScript, and Python.
• AWS (cloud infrastructure and services), Docker (containerised workloads).
• SAST/DAST tooling (specific products may vary; you’ll help tune and operationalise them).