Security Engineer (Cloud & Application Security)

Key Responsibilities

Cloud Security Engineering

• Own and continuously improve Segen’s security posture across our Cloud environment, including configuration hardening, policy enforcement, and security architecture.
• Implement and manage cloud-native security controls using Microsoft Defender for Cloud, Azure Security Centre, and Azure Policy.
• Design and enforce Identity and Access Management (IAM) controls, including Privileged Identity Management (PIM), Conditional Access, and Entra ID (Azure AD) governance.
• Manage cloud network security including virtual network segmentation, NSGs, Private Endpoints, and Azure Firewall.
• Lead cloud security reviews for new infrastructure deployments, ensuring secure architecture patterns are followed (Zero Trust, least privilege, defence-in-depth).
• Monitor cloud environments for misconfigurations and security drift using CSPM tooling, remediating findings in collaboration with DevOps and infrastructure teams.

  Application & Development Security (AppSec)

• Champion and embed secure software development lifecycle (SSDLC) practices across engineering teams.
• Integrate and manage application security tooling within CI/CD pipelines, including SAST, DAST, SCA, and secrets scanning (e.g. Checkmarx, Snyk, GitHub Advanced Security, OWASP ZAP).
• Conduct and coordinate application security assessments, threat modelling sessions, and secure code reviews.
• Act as the primary security liaison for development and DevOps teams, providing hands-on guidance on secure coding standards (OWASP Top 10, SANS CWE).
• Manage the responsible disclosure and triage process for application vulnerabilities identified through internal testing or third-party penetration tests.
• Develop and maintain application security standards, policies, and developer-facing guidance documentation.

  DevSecOps & Security Automation

• Build and maintain security automation pipelines to enforce policy-as-code, infrastructure-as-code (IaC) scanning, and automated compliance checks.
• Implement and manage secrets management solutions (e.g. Azure Key Vault) and ensure secure handling of credentials and API keys across development environments.
• Develop scripted tooling and automation using PowerShell, Python, or similar to improve detection, response, and security operational efficiency.
• Collaborate with DevOps on container security, including image scanning, Kubernetes security posture, and runtime protection.

  Vulnerability Management & Threat Intelligence

• Own the application and cloud vulnerability management programme, including tooling, triage, SLA tracking, and remediation coordination.
• Integrate threat intelligence feeds to contextualise cloud and application risk, informing prioritisation and defensive improvements.
• Manage and track findings from penetration tests through to resolution.

  Compliance & Risk

• Support cloud and application compliance requirements including ISO 27001, Cyber Essentials/Plus, UK GDPR, and PCI DSS where applicable.
• Contribute to security risk assessments for new cloud services, third-party integrations, and application deployments.
• Maintain security documentation, evidence packs, and control mappings for internal and external audit purposes.

  Collaboration & Stakeholder Engagement

• Work closely with software engineers, architects, and DevOps teams as a trusted security partner – not a gatekeeper.
• Deliver security awareness and training for development teams, covering secure coding practices and common vulnerabilities.
• Produce clear risk-based reporting on cloud and application security posture for the Head of Cyber Security and senior stakeholders.

  Technical Competencies

  Required Skills

• Hands-on experience securing Microsoft Azure environments, including Defender for Cloud, Azure Policy, Entra ID, Key Vault, and network security controls.
• Practical experience implementing application security tooling within CI/CD pipelines (SAST, DAST, SCA, secrets scanning).
• Strong understanding of the OWASP Top 10 and common application vulnerabilities (injection, broken auth, IDOR, XSS, etc.).
• Experience with Infrastructure-as-Code security scanning (e.g. Checkov, tfsec, or similar) and IaC platforms such as Terraform or Bicep.
• Working knowledge of container security concepts (Docker, Kubernetes, image hardening, runtime security).
• Proficiency in at least one scripting or programming language (Python, PowerShell, Bash, or similar) for security automation.
• Familiarity with Zero Trust architecture principles and their application in cloud and application contexts.
• Understanding of OAuth 2.0, OpenID Connect, and API security best practices.

  Desired Skills

• Experience with GitHub Advanced Security, Snyk, Checkmarx, Veracode, or equivalent AppSec platforms.
• Exposure to cloud-native SIEM/SOAR platforms such as Microsoft Sentinel for cloud and application threat detection.
• Familiarity with PCI DSS requirements as they relate to web applications and cloud-hosted cardholder data environments.
• Experience working within an e-commerce or digitally-native business where application security is business-critical.
• Knowledge of API gateway security, WAF configuration, and DDoS protection controls.

  Behavioural Competencies

• Engineer’s mindset – you build and automate rather than rely solely on policy and process.
• Excellent written and verbal communication skills, with the ability to clearly articulate application and cloud risks, recommendations and remediation plans into clear, actionable language for both technical and non-technical audiences.
• Collaborative and pragmatic – able to balance security rigour with development velocity.
• Self-motivated and proactive, with a track record of taking ownership and driving improvements.
• Passion for security and a commitment to staying current with the evolving cloud and AppSec threat landscape.
• High level of personal integrity and sound ethical judgement.

  Qualifications & Experience

• Hands-on experience in a security engineering role with a clear focus on cloud and/or application security.
• Relevant certifications desirable, such as AZ-500 (Azure Security Engineer), SC-100/200, AWS Security Specialty, CSSLP, GWEB, or equivalent.
• Degree in Cyber Security, Computer Science, Software Engineering, or a related field is advantageous but not essential – demonstrable practical experience will be equally considered.