Sr. Product Security Engineer

Xylem is a Fortune 500 global water solutions company dedicated to advancing sustainable impact and empowering the people who make water work every day. As a leading water technology company with 23000 employees operating in over 150 countries Xylem is at the forefront of addressing the worlds most critical water challenges. We invite passionate individuals to join our team dedicated to exceeding customer expectations through innovative and sustainable solutions.

Welcome to Xylem

Xylem (NYSE: XYL) is a Fortune 500 global water technology company with 23000 employees operating in over 150 countries. Our purpose is clear: to empower our customers and communities to build a more water-secure world. Xylems solutions are active in water systems that treat transport test and monitor water for hundreds of millions of people. Since 2019 Xylem technology has helped customers reuse more than 18 billion cubic meters of water reduce water loss across distribution networks and protect communities from contamination and flood events.

Water security is becoming one of the defining technology challenges of the next decade. The rapid growth of AI infrastructure data centers semiconductor fabrication and advanced power generation is placing significant new demands on water systems worldwide. Xylem is working with utilities industry and technology companies to ensure water infrastructure can support the demands of a changing economy while remaining resilient for the communities that depend on it.

As Xylem scales its digital and AI-enabled product portfolio the security of those systems becomes directly connected to that mission. The products and platforms this team is responsible for are operational systems that utilities municipalities and industrial operators rely on to manage water safely and efficiently.

Your New Role

We are looking for an experienced Product Security Engineer to join our Global Product Security Engineering team in India. This is a senior individual contributor role for someone who has moved beyond operating tools and is ready to function as a trusted contributor to a team that works closely with product and engineering organizations.

Product security at Xylem is focused on enabling informed risk-based decisions. We work alongside engineering architecture and product leadership to understand what is being built where the meaningful risk lives and how to address it in ways that fit the business context. The assessments and findings you produce will feed directly into those decisions giving the people who own them the technical clarity they need to act with confidence.

The primary focus of this role is security assessment of cloud-hosted applications and APIs. As the portfolio continues to grow and AI-enabled products become a larger part of what Xylem delivers the teams ability to assess those systems rigorously is increasingly important. This role sits at the center of that work.

Your Role Responsibilities

• Lead security assessments of cloud-hosted applications and APIs grounded in a thorough understanding of the applications business logic threat model and architecture.
• Assess modern identity and access control implementations including OAuth2/OIDC SAML and JWT with the ability to reason about design-level weaknesses.
• Produce assessment reports that give engineering and product leadership the context they need to make sound risk-based decisions.
• Work directly with engineering and product teams through the resolution process applying the judgment needed to evaluate whether a proposed control genuinely reduces risk.
• Conduct threat modeling and architecture reviews early in the design process helping teams understand the security implications of their choices.
• Contribute to the standards assessment methodologies and tooling that define how product security work is conducted across the portfolio.
• Support the product security incident response function (PSIRT) as needed helping teams understand the significance of externally reported security issues and supporting coordinated disclosure.
• Stay current on application API and AI security developments and bring that knowledge back to the team in ways the team can use.
  

What We Are Looking For

We are looking for a practitioner with demonstrated experience and a proven track record in product or application security. The right person has done this work as a core responsibility not a secondary one and can speak with authority about what they have assessed what they found and how they helped the business respond.

• Demonstrated hands-on experience in product security or application security with a track record of conducting thorough security assessments of cloud-hosted applications and APIs. We are looking for people who have owned engagements.
• A strong foundation in how web applications and APIs fail from a security standpoint including the classes of weakness covered by the OWASP Top 10 and OWASP API Security Top 10 and the judgment to recognize when those frameworks apply and when they require adaptation.
• Experience assessing modern identity and access control implementations including OAuth2/OIDC SAML and JWT at both the design level and the implementation level.
• The ability to write proof-of-concept code to demonstrate the real-world impact of a finding supported by enough scripting ability to extend and automate your own assessment work.
• Working knowledge of cloud-hosted architectures microservices and container-based deployments with the ability to reason about where security assumptions are most likely to hold and where they are most likely to fail.
• Strong written and verbal communication skills including the ability to produce clear well-reasoned assessment reports for a technical audience.
• The ability to build effective working relationships with engineering and product teams including the confidence to advocate for a different course when the risk warrants it.
• Bachelors degree in Computer Science Engineering Information Security or a related field or equivalent practical experience.
  

What Would Set You Apart

Every strong candidate brings something the job description did not anticipate. The following are examples of experience that would be differentiating in this role but they are not the full picture. If you have depth in an area that is not listed here and believe it is relevant we want to hear about it.

• Experience assessing AI-enabled products in production including LLM integrations retrieval augmented generation systems agents tool calling and model endpoints. This is an emerging and strategically important area for Xylems portfolio and the ability to assess it rigorously is a meaningful differentiator.
• Familiarity with emerging AI security frameworks and guidance including the OWASP Top 10 for LLM Applications the NIST AI Risk Management Framework and MITRE ATLAS applied critically rather than as a checklist.
• Strong automation scripting or development capability beyond the basics. If you build tools to extend your own assessments automate repeatable work or prototype solutions because nothing off the shelf fits the problem that is the kind of initiative we want to know about.
• Experience with embedded systems IoT firmware analysis or hardware-adjacent attack surface assessment. Xylems product portfolio extends well below the application layer and the ability to work lower in the stack adds real value.
• Experience with threat modeling methods such as STRIDE and integrating security thinking into software development at the design stage.
• Experience communicating security risk to diverse stakeholders including product leadership and non-technical audiences in ways that support informed decision-making.
• Relevant certifications such as OSCP GWAPT GWEB or equivalent that reflect a commitment to the craft
  .

How We Get Things Done

Xylems Global Product Security Engineering team functions as a trusted resource to the business. We are embedded in the product development process not adjacent to it. We spend as much time understanding what we are assessing as conducting the assessment itself because context is what makes the output useful to the people acting on it.

The team works across a portfolio that spans cloud-hosted SaaS platforms embedded and connected devices and AI-enabled products. No two engagements are the same. The problems are real the business context matters and the decisions we inform have direct consequences for systems that communities and operators depend on.

We invest in the growth of our team. That includes access to training support for professional development and the opportunity to build expertise in areas that are shaping the future of the field. As AI security embedded systems testing and application security continue to evolve we want people who are engaged with that evolution and motivated to stay at its edge.

Join the global Xylem team to be a part of innovative technology solutions transforming water usage conservation and re-use. Our products impact public utilities industrial sectors residential areas and commercial buildings with a commitment to providing smart metering network technologies and advanced analytics for water electric and gas utilities. Partner with us in creating a world where water challenges are met with ingenuity and dedication; where we recognize the power of inclusion and belonging in driving innovation and allowing us to compete more effectively around the world.

Join the global Xylem team to be a part of innovative technology solutions transforming water usage conservation and re-use. Our products impact public utilities industrial sectors residential areas and commercial buildings with a commitment to providing smart metering network technologies and advanced analytics for water electric and gas utilities. Partner with us in creating a world where water challenges are met with ingenuity and dedication; where we recognize the power of inclusion and belonging in driving innovation and allowing us to compete more effectively around the world.