Security Engineer (EXTEND)

JOB DETAILS

JOB BAND: C
CONTRACT TYPE: Permanent Full-time
DEPARTMENT: Product Group - Enablement - Engineering Enablement
LOCATION: London Cardiff Salford Newcastle Glasgow - Hybrid
PROPOSED SALARY RANGE:

Were happy to discuss flexible working. If youd like to please indicate your preference in the application though theres no obligation to do so now. Flexible working will be part of the discussion at offer stage.

BBC EXTEND

This role is advertised as part of ourBBC Extend programme for disabled people. To apply for this role you should identify as deaf disabled or neurodivergent and must meet either the definition of disability in the Equality Act (2010) or the definition of disability in the Disability Discrimination Act (1995) if applying in Northern Ireland. Youre broadly defined as disabled under both acts if you have a physical or mental impairment that has a substantial and long-term negative or adverse effect on your ability to do normal daily activities. This definition includes both apparent and non-apparent conditions and impairments and medical conditions such as Cancer HIV or Multiple Sclerosis.

We are committed to making the process of applying for this role as accessible as possible. If you need to discuss adjustments or access requirements for the application process or have any questions about our Extend programme please

The BBC are fully committed to providing workplace adjustments to help eliminate barriers in the workface that disabled people face. To do this we have our own dedicated BBC Access and Disability Service that provides assessments and support throughout employment with us. If you are successful in applying for this role and require workplace adjustments we will work with you to get your adjustments in place.

If youd like more information on BBC Extend please visit theBBC Extend webpage. EX2324

PURPOSE OF THE ROLE

Join DevX and Tooling to make Developer Experience safer and faster. Youll build secure-by-default tooling templates and pipeline checks that fit engineers day-to-day run key GitHub security capabilities at scale and surface meaningful signals that show impact. Your work reduces friction while strengthening the BBCs Secure SDLC.

WHY JOIN THE TEAM

Work where security meets DevX and Tooling youll ship guardrails that developers adopt prove impact with real usage data and collaborate with peers who value clear thinking over theatre. Youll have autonomy tight feedback loops and the chance to raise the security bar across hundreds of teams.

YOUR KEY RESPONSIBILITIES AND IMPACT

Operate GitHub Advanced Security at scale CodeQL code scanning secret scanning and push protection with sensible policies and triage flows.
Own Dependabot strategy safe update policies grouping/auto-merge where appropriate PR hygiene and actionable alerting.
Integrate security automation into CI/CD gating checks in GitHub Actions or equivalents with auditable exceptions.
Build reusable secure templates libraries and policy-as-code guardrails for services pipelines and Infrastructure as Code.
Support threat modelling and design reviews; translate outcomes into repeatable checks and templates.
Contribute to DevX tools and services with high-quality code tests docs and reviews; instrument controls to surface useful signals.
Integrate with monitoring and incident tooling; participate in incident response for DevX services when required.

YOUR SKILLS AND EXPERIENCE

ESSENTIAL CRITERIA

GitHub Advanced Security at scale administer CodeQL secret scanning and push protection; set org/repo policies and triage workflows developers will use.
Dependabot expertise design update and alerting strategy to keep dependencies fresh without churn.
CI/CD security automation integrate and tune gating checks; manage exceptions with auditability.
Software supply chain security SBOM generation/verification artefact signing and provenance; pragmatic CVE triage.
Secure coding in at least two of Python Java with rigorous reviews focused on auth input handling and error handling; produce reusable secure templates.
Hands on Experience building deploying and running solutions on AWS.

DESIRED BUT NOT REQUIRED

IaC and cloud hardening Terraform/CloudFormation security policy-as-code and secure defaults for IAM networking and secrets.
SLSA or similar supply-chain frameworks; build system hardening and release hygiene.
AI-assisted developer tooling (e.g. GitHub Copilot code assistants/agents) understand risks like prompt injection data exfiltration and insecure suggestions; design guardrails policies and CI/CD checks.
Developer-centred security UX paved roads reusable templates and docs that reduce friction and false positives.
Incident response for developer tooling runbooks tabletop exercises and security-focused post-incident reviews.

If you can bring some of these skills and experience along with transferable strengths wed love to hear from you and encourage you to apply.

Before your start date you may need to disclose any unspent convictions or police charges in line with our Contracts of Employment policy. This allows us to discuss any support you may need and assess any risks. Failure to disclose may result in the withdrawal of your offer.