Product Security Engineer

Mekari is Indonesias no. 1 Software-as-a-Service (SaaS) company. With our ecosystem of software solutionsincluding Mekari Jurnal Mekari Talenta Mekari Qontak and Mekari Flex we aim to facilitate entrepreneurs and leaders as they accelerate the digital transformation of their businesses.

In our 10 years of journey we have reached over 1 Million platform users and were not planning to stop any time soon. We need more people like you: builders and owners with calculated ambition who are ready to #ElevateThroughImpact and raise Indonesias software standard.

Positon Overview :
Were looking for a Product Security Engineer to join our team and help secure our products throughout their this role youll work closely with engineering product and infrastructure teams to identify vulnerabilities guide secure development practices and respond to security incidents. Youll be a trusted advisor across the organization someone teams turn to when they need security expertise on design decisions code reviews and emerging AI/ML threats.

Job Description:

• Vulnerability Assessment & Penetration Testing (VAPT)
  Plan and execute penetration tests and vulnerability assessments across our applications APIs and infrastructure. Prioritize findings by business impact and work with engineering teams to drive remediation. Track trends over time to identify systemic weaknesses.
• Security Assessment & PRD/RFC Review
  Review product requirement documents and technical RFCs for security implications especially for new features architectural changes and third-party integrations. Provide actionable threat models and recommendations early in the development cycle so security is built in not bolted on.
• Security Consultancy
  Serve as a go-to resource for secure design secure coding practices and vulnerability remediation guidance. Partner with developers to solve hard security problems without slowing them down. Help teams make informed risk trade-offs.
• SAST & Secure Code Review
  Manage and tune static analysis tooling to reduce noise and surface real issues. Conduct manual secure code reviews for critical or high-risk components. Champion secure coding standards and contribute to internal security guidelines.
• Security Incident Support
  Support incident response efforts by triaging product security issues conducting root cause analysis and recommending both immediate fixes and long-term preventive measures. Contribute to post-mortems and help improve the incident response process.
• AI/ML Security Guidance
  Advise teams on security risks specific to AI/ML systems including adversarial inputs model poisoning data leakage prompt injection and supply chain risks in ML pipelines. Stay current on emerging threats in this space and translate research into practical guidance.

Requirements:

• Bachelors degree in Computer Science Information Security Cybersecurity or related field (or equivalent experience).
• 2 years of experience in application or product security with a strong foundation in web application security common vulnerability classes (OWASP Top 10 and beyond) and secure development lifecycles.
• Hands-on experience with penetration testing tools and methodologies (Burp Suite custom scripting etc.)
• Familiarity with SAST/DAST tools and the ability to tune them for real-world effectiveness
• Experience reviewing code in at least one or two major languages (Python Go Java JavaScript etc.)
• Comfort reading and contributing to technical design documents and threat models
• Exposure to AI/ML systems and an understanding of their unique attack surfaces
• Strong communication skills
• A collaborative mindset; you see yourself as a partner to engineering not a gatekeeper

Nice to have :

• Relevant certifications (OSCP OSWE GWAPT or similar)

• Experience building or improving security tooling and automation

• Background in bug bounty programs either running one or participating

• Contributions to the security community (talks blog posts open-source tools)

Our team will review your application and will be in touch if your application is shortlisted to the next stage. If you do not hear from us in 30 days we will keep your resume on file in case a relevant opportunity opens up.

Dont forget to check our Recruitment FAQ at ENG or INA to find the answers to commonly asked questions regarding our recruitment process.

We wish you the best. Hope to see you around soon!