At a Glance
- Tasks: Champion product security while collaborating with engineers and product owners on innovative projects.
- Company: Join a diverse fintech company committed to inclusivity and innovation.
- Benefits: Competitive salary, flexible working options, and opportunities for professional growth.
- Other info: Dynamic team culture with a focus on diversity and personal development.
- Why this job: Make a real impact by securing cutting-edge products and technologies.
- Qualifications: Experience in offensive security and a passion for learning new technologies.
The predicted salary is between 50000 - 70000 £ per year.
Responsibilities
- Being an advocate of security for product owners and engineers, with whom you'll build a working relationship.
- Performing web, mobile, and backend security assessments directly.
- Orchestrating web, mobile, and backend security assessments between our product teams and third-party assessors when the situation calls for it.
- Weighing in on technical architecture discussions, ensuring security is considered from the very inception of new features.
- Threat modelling upcoming features, providing a more technical and hands-on steer when necessary to illustrate security concerns with proposed feature implementations.
- Overseeing secure engineering training programmes, keeping our engineers aware of secure engineering practices, and abreast of the common security pitfalls to avoid.
- Integrating security tooling, stitching together CI steps, scripts, and small tools to automate security controls and visualise their results in a helpful manner. This could include SAST, SCA, DAST, secrets scanning, vulnerability scanning, or other tooling.
- Being guardians of our Secure Development Lifecycle, ensuring security controls are baked in and “pushed left” as much as reasonably possible.
- Triaging incoming reports and findings from bug bounties, automated tools, and more.
- Being comfortable doing “Just-in-Time” learning around technologies and frameworks as required to understand emerging technologies in the company, and the security concerns they raise – with appropriate time allocated by the company, of course.
- Advising engineers on security patching, and ensuring our team does as we say by keeping our own tools patched too.
- Staying cognizant of the balance required between security and productivity, and how to manage stakeholders' concerns around such trade-offs.
Qualifications
- You have experience in offensive security, such as performing security assessments via tools like BurpSuite, nmap, Kali Linux, etc.
- Strong experience in at least web or a mobile OS, with a willingness to learn the other too.
- Fundamental networking and OS knowledge – you should know how to debug a failing DNS connection, be comfortable with command line tools, and broader computing principles.
- Comfortable threat modelling, assessing the balance between features and security.
- Being able to explain the trade-offs to less technical stakeholders.
- Basic scripting knowledge – we have some in-house tools we maintain ourselves.
- A willingness to learn basic software engineering principles to ensure said tools stay maintainable.
- Being confident in at least one language such as Python, JavaScript, or Go.
- Secure coding practices – being able to not just spot a SQL injection but provide detailed guidance about how to fix it and prevent it for future queries.
- Providing security advice during architectural design phases of new products.
- Spotting fundamental security flaws in designs early on, before code is even written.
- Basic cloud infrastructure knowledge, such as understanding the fundamentals of cloud compute instances (VMs), software-defined networks, and defining infrastructure in code.
- Having experience in fintech, especially banks with mobile apps.
- Able to read common tech stack languages not commonly used in InfoSec, e.g. Java and C#. This can assist whitebox assessments.
- On top of knowing security skills, knowing fundamental software engineering practices to ensure modifications to our internal tools stay maintainable.
Subject to having the right to work in the country of choice. Zopa is proud to offer a workplace free from discrimination. Diversity of experience, perspectives, and backgrounds leads to better products for our customers and a unique company culture for our people. We are made up of nearly 50 nationalities, have a DE&I forum made up of Zopians wanting to make a difference, and we are proud of our culture where everyone can bring their full self to work. Our approach to DE&I is reflected in our hiring process so please let us know if you require any reasonable adjustments.
Product Security Engineer in City of Westminster employer: Zopa Bank Limited
Zopa is an exceptional employer that fosters a collaborative and inclusive work culture, where diversity is celebrated and every employee is encouraged to bring their authentic selves to work. As a Product Security Engineer, you will benefit from continuous learning opportunities, hands-on experience with cutting-edge security tools, and the chance to influence product security from the ground up, all while working in a vibrant environment that values innovation and teamwork.
StudySmarter Expert Advice🤫
We think this is how you could land Product Security Engineer in City of Westminster
✨Tip Number 1
Network like a pro! Reach out to folks in the industry, especially those already working at companies you're eyeing. A friendly chat can sometimes lead to insider info or even a referral, which can give you a leg up in the application process.
✨Tip Number 2
Show off your skills! If you've got experience with tools like BurpSuite or Kali Linux, consider creating a portfolio or blog where you share your insights and assessments. This not only showcases your expertise but also demonstrates your passion for product security.
✨Tip Number 3
Prepare for interviews by brushing up on your threat modelling and secure coding practices. Be ready to discuss how you would balance security with productivity, as this is a hot topic in many tech discussions. Practice explaining complex concepts in simple terms for non-tech stakeholders.
✨Tip Number 4
Don't forget to apply through our website! It’s the best way to ensure your application gets seen. Plus, it shows you're genuinely interested in joining our team. Keep an eye on our careers page for the latest openings and updates!
We think you need these skills to ace Product Security Engineer in City of Westminster
Some tips for your application 🫡
Show Your Passion for Security:When writing your application, let us see your enthusiasm for security! Share any personal projects or experiences that highlight your skills in offensive security and how you’ve tackled challenges in the past.
Tailor Your Application:Make sure to customise your application to reflect the specific responsibilities and qualifications mentioned in the job description. We want to see how your unique experience aligns with our needs, so don’t hold back!
Be Clear and Concise:Keep your application straightforward and to the point. Use clear language to explain your technical skills and experiences, especially when discussing complex topics like threat modelling or secure coding practices.
Apply Through Our Website:We encourage you to apply directly through our website. It’s the best way for us to receive your application and ensures you’re considered for the role. Plus, it shows you’re keen on joining our team!
How to prepare for a job interview at Zopa Bank Limited
✨Know Your Tools
Familiarise yourself with the security assessment tools mentioned in the job description, like BurpSuite and nmap. Be ready to discuss your experience using these tools and how they can be applied in real-world scenarios.
✨Understand Threat Modelling
Brush up on threat modelling techniques and be prepared to explain how you would assess the balance between new features and security. Think of examples where you've had to make trade-offs and how you communicated these to stakeholders.
✨Showcase Your Coding Skills
Since basic scripting knowledge is essential, be ready to demonstrate your coding skills in languages like Python or JavaScript. Prepare to discuss how you’ve used coding to automate security controls or improve processes in previous roles.
✨Communicate Security Concepts
Practice explaining complex security concepts in simple terms. You might need to advise less technical stakeholders, so being able to break down security issues and solutions will show your ability to bridge the gap between tech and non-tech teams.
