Position
We are seeking a highly skilled Applications Security Engineer to join our Cyber Security team, helping to ensure security is embedded throughout the Software Development Lifecycle (SDLC). This is a hands‑on technical role: we need someone who can identify, analyze, and help mitigate vulnerabilities in our applications throughout the development lifecycle. This role exists to protect our customers and reputation by making sure security is tested into our products before they ship. You will work closely with Security, Development and QA teams to embed robust, evidence‑based security practices throughout our software delivery process.
Key responsibilities of this role will include;
Hands-On Security Testing
- Conduct manual penetration testing and vulnerability assessments across various environments including web, API, desktop and mobile applications.
- Execute Dynamic Application Security Testing (DAST) on running applications, focusing on XSS, SQL Injection, Broken Access Control etc., manually confirming exploitability beyond what scanners or AI analysis reports.
- Use Interactive Application Security Testing (IAST) tools for runtime analysis, such as Burp Suite, OWASP ZAP, Frida, applying hands‑on technique to validate and extend automated results.
- Conduct Static Application Security Testing (SAST) and Software Composition Analysis (SCA) on source code and binaries, manually triaging findings to separate real risk from noise, using AI tools to accelerate initial triage where helpful.
- Ensure the foundation is secure from the start by conducting threat modelling and risk assessments during design phases.
- Provide security requirements for new features and architecture reviews.
Development & Code Assurance
- Perform secure code reviews and advise developers on ensuring security best practices are followed.
- Make use of AI‑assisted code review tools to speed up initial passes, while personally validating any flagged issue against actual code behaviour.
- Collaborate with engineering teams to integrate security into development workflows.
Deployment & Monitoring
- Partner with DevOps to advise on secure configurations and hardening in production environments.
- Support incident response and remediation of application‑level vulnerabilities.
- Keep up to date with industry news, vulnerability announcements and guidelines.
- Deliver secure coding training and promote a positive security posture.
Requirements
- Have hands‑on experience with DAST, IAST and penetration testing tools (e.g., Burp Suite, OWASP ZAP, Frida), and can manually identify and exploit vulnerabilities beyond what these tools surface automatically.
- Can demonstrate independent, hands‑on technical ability, for example through CTF experience, bug bounty history, HackTheBox/TryHackMe rankings, or a technical portfolio.
- Have 3–5 years’ experience in an application security, penetration testing, or software engineering role with a strong security focus.
- Have a strong understanding of secure SDLC and DevSecOps principles.
- Strong understanding of application security principles and common vulnerabilities (e.g., XSS, SQL Injection, Broken Access Control).
- Have experience with Static Application Security Testing (SAST).
- Have practical experience using software composition analysis (SCA) tools such as Blackduck, Mend/Whitesource, Snyk or similar.
- Can easily explain complex security concepts to non‑technical stakeholders and write clear security reports.
- Work well with a wide range of stakeholders as part of a cross‑functional team, including system administrators, developers, network engineers and information security compliance.
- Have proficiency in secure coding practices (Java, Python, C++ or similar).
- Are familiar with common Operating Systems - Windows, Linux, macOS, Android and iOS.
Anything Else?
- Leveraging AI to help drive efficiency in day‑to‑day workflows.
- Exploit development activities, such as exploiting buffer overflows, crafting shellcode or analysing patches.
- Knowledge and understanding of Cyber Security frameworks such as NIST Cybersecurity Framework.
- Regulatory compliance - knowledge of GDPR, ISO‑27001 and SOC2.
- Details of any security‑based qualifications.
Benefits
We also offer generous benefits, including a contributory pension, EV car leasing scheme, private dental and medical cover.
Equal Opportunities
RealVNC has a responsibility to ensure that all staff are eligible to live and work in the UK and if you’re invited to interview you’ll be required to provide proof of your eligibility to work.
RealVNC is an equal opportunities employer, committed to staff welfare and professional development.
Applications Security Engineer in Cambridge employer: Hollybank Trustees Ltd
Hollybank Trustees Ltd is an exceptional employer, offering a dynamic work environment in Rough Hills, England, where collaboration and client-focused strategies thrive. With a flexible hybrid working model, a comprehensive benefits package including an enhanced pension scheme, and ample opportunities for professional development, employees are empowered to grow their careers while making a meaningful impact in the investment advisory sector.