Application Security Engineer

London - UK

Monthly Salary: Not Disclosed

Posted on: Yesterday

Vacancies: 1 Vacancy

Job Summary

The Role:

This is an amazing opportunity to work with Markets Information Security Team at ION. As a Product Security Engineer you would be the key enabler of secure and compliant products. This role reports to the Product Security Lead and partners closely with engineering and product teams to increase the overall product security posture. You will own and scale product/application security by embedding security into the Secure SDLC automating controls in CI/CD and driving measurable risk reduction. The role is hands-on: you will perform security-focused code review and targeted testing strengthen API security implement supply chain security (SCA/SBOM) practices and run an efficient vulnerability lifecycle with clear SLAs and metrics.

Key Responsibilities:

Secure SDLC Ownership: Help to define lightweight measurable SSDLC (requirements design checks guidance release criteria); establish paved roads (reference architectures secure templates approved libs/patterns).
CI/CD Security Automation (Shiftleft): Own AppSec toolchain/pipelines (SAST DAST SCA secrets IaC/container); integrate riskbased gating with clear developer feedback; tune rules cut false positives and standardize triage (tickets autorouting SLAs).
Code Review & Secure Engineering Support: Perform security code reviews for critical areas (authn/authz sessions crypto data protection input validation business logic); provide remediation guidance secure patterns and concise code/design examples.
API & Service Security: Lead API security (OAuth/OIDC token handling rate limiting schema validation antiabuse secure errors logging/monitoring); drive API testing (contracts targeted DAST); partner on servicetoservice security.
Secure Design Reviews & Threat Modeling: Run pragmatic threat modelling/design reviews for new features and changes; produce actionable outputs (mitigations backlog acceptance criteria test cases); maintain requirements for identity sensitive data and privacybydesign.
Supply Chain Security (SCA/SBOM): Manage dependency risk (triage upgrade strategies deprecations guardrails); establish SBOM generation/use and provide evidence for assurance; assess thirdparty components/SDKs and provenance/attestation risks.
Vulnerability Lifecycle SLAs & Metrics: Run intake/triage across tools pen tests VDP/bug bounty and internal findings; define remediation SLAs by severity/exploitability and asset criticality manage exceptions and verify fixes; report meaningful metrics (MTTD MTTF reopen rate recurring classes coverage control effectiveness).
Handson Testing (Targeted & RiskBased): Execute focused testing on highrisk areas (web APIs mobile/auth flows) to validate exploitability; coordinate thirdparty testing and ensure findings translate into prioritized engineering outcomes.

Required Skills Qualifications and Experience:

Skills in:

6 years in Product Security / Application Security with demonstrable engineering-facing delivery.
Strong understanding of OWASP (Web API risks) and modern attack paths (authz flaws SSRF injection deserialization business logic abuse supply chain).
Hands-on experience integrating security into CI/CD (SAST/DAST/SCA/secrets) triaging findings and enabling developer remediation.
Comfortable reading/reviewing code in at least one backend language (e.g. Java C Go Python ) and common web stacks.
Solid grasp of cloud-native delivery practices: microservices containers CI/CD IaC fundamentals observability and logging.
Strong communication skills: able to translate risk into clear engineering actions and influence outcomes.

Nice to Have

Threat modeling experience (STRIDE or similar) with real production outcomes.
Fintech or regulated-environment experience in translating obligations into product controls (e.g. PCI GDPR/DORA concepts).
Bug bounty/VDP experience (triage validation reporter comms process).
Certifications: OSWE/OSCP/GPEN/GXPN cloud certifications or secure software development certifications.

Ability to:

Effectively communicate technical issues to diverse audiences both in writing and verbally.
Handle sensitive and confidential matters situations and data.
Understand and follow broad and complex instructions.
Comprehend technical language and to confer analyse and write in an objective lucid manner.
Work independently and prioritize multiple tasks and adapt to needed changes.
Remain calm under high pressure/difficult situations.

Preferred Certifications:

OSWE/OSCP/GPEN/GXPN cloud certifications or secure software development certifications.

About us:

Were a diverse group of visionary innovators who provide trading and workflow automation software high-value analytics and strategic consulting to corporations central banks financial institutions and governments. Founded in 1999 weve achieved tremendous growth by bringing together some of the best and most successful financial technology companies in the world.

Over 2000 of the worlds leading corporations including 50% of the Fortune 500 and 30% of the worlds central banks trust ION solutions to manage their cash in-house banking commodity supply chain trading and risk.

Over 800 of the worlds leading banks and broker-dealers use our electronic trading platforms to operate the worlds financial market infrastructure.

ION is a rapidly expanding and dynamic group with 13000 employees and offices in more than 40 cities around the globe. Our ever-expanding global footprint cutting edge products and over 40000 customers worldwide provide an unparalleled career experience for those who share our vision.

ION is committed to maintaining a supportive and inclusive environment for people with diverse backgrounds and experiences. We respect the varied identities abilities cultures and traditions of the individuals who comprise our organization and recognize the value that different backgrounds and points of view bring to our business.

ION adheres to an equal employment opportunity policy that prohibits discriminatory practices or harassment against applicants or employees based on any legally impermissible factor.

We may use artificial intelligence (AI) tools to support parts of the hiring process such as reviewing applications analyzing resumes or assessing responses. These tools assist our recruitment team but do not replace human judgment. Final hiring decisions are ultimately made by humans. If you would like more information about how your data is processed please contact us.

Required Experience:

The Role:This is an amazing opportunity to work with Markets Information Security Team at ION. As a Product Security Engineer you would be the key enabler of secure and compliant products. This role reports to the Product Security Lead and partners closely with engineering and product teams to incre...