Product Security Engineer

The Role

As a Product Security Engineer youll embed security into the software development lifecycle across multiple product teams. Youll help teams build ship and operate secure software by defining requirements improving detection and prevention (SAST/DAST) assisting teams with application security governance and running threat modelling.

Your Work at Redgate

• Partner with engineering and product teams to define and operationalise security requirements across the SDLC (from design to release).

• Audit application code for weaknesses and vulnerabilities.

• Own or co-own application security governance practices: secure-by-default standards patterns guardrails and exceptions/risk acceptance.

• Drive SAST/DAST adoption and quality: tool tuning triage workflows severity calibration and fix-forward enablement.

• Support adoption of threat modelling for new features architectural changes and high-risk servicesturning findings into actionable engineering work.

• Provide product security guidance for cloud-native environments (AWS containerised workloads) with an emphasis on secure service design and deployment practices.

• Build strong relationships with product teams through clear communication coaching and security enablement.

• Review and assist in the development of engineering policies aligned with security best practices

• Contribute secure shared libraries/paved-road components or perform targeted security testing/pentesting to validate controls.

• Work with product teams to support implementation of AI including LLMs SLMs and MCP.

What you bring to the table

• Hands-on product/application security experience supporting engineering teams in a modern SDLC (requirements design review secure coding guidance release support).

• Strong knowledge of the OWASP Top 10 and practical mitigation patterns; familiarity with OWASP ASVS is a plus.

• Experience implementing or improving SAST/DAST processes: tool selection/tuning signal-to-noise reduction and scalable remediation workflows.

• Working understanding of cloud and container security fundamentals in an environment using AWS and Docker (and related CI/CD practices).

• Comfort working across a primarily C# ecosystem (with some Java/Python) including the ability to review code and explain security issues clearly to developers.

• Ability to translate security risk into actionable engineering prioritiesbalancing risk delivery timelines and operational realities.

Who you are

• Youre pragmatic: you care about real risk reduction not checkbox compliance or perfect theoretical security.

• You communicate clearly and respectfully able to influence without authority and build trust across multiple product teams.

• Youre structured and evidence-driven: you document decisions measure outcomes and iterate based on whats working.

• Youre comfortable in ambiguity and can shape an approach when requirements tooling or ownership arent fully defined yet.

Salary and ways of working

• 60000 to 75000 subject to experience

• Flexible-hybrid working model (1 day every two weeks)

Tech / tool stack

• C# / .NET (primary engineering ecosystem) React

• Java (J2EE) TypeScript and Python

• AWS (cloud infrastructure and services) Docker (containerised workloads)

• SAST/DAST tooling (specific products may vary; youll help tune and operationalise them)

Impact plan

30 Days

• Onboard into Redgates products SDLC and delivery rhythms (how work moves from idea code deploy).

• Get access to core systems and security tooling; understand whats in place today (SAST/DAST coverage alert volumes current processes).

• Shadow the Product Security Architect and sit in on a handful of ceremonies (planning/refinement/retro) to understand team dynamics and where security naturally fits.

• Triage a small set of findings with guidance (e.g. top recurring SAST issues) focusing on learning severity expectations and remediation patterns.

• Start building a knowledge base: common app patterns approved controls how we do security here and where to find the right people.

60 Days

• Begin owning a defined slice of AppSec work with supervision (e.g. one product area or a specific SDLC initiative like SAST tuning or DAST onboarding).

• Build working relationships with a small set of partner teams and establish a predictable engagement model (intake path review checklist).

• Start contributing to security reviews for new features or higher-risk changesinitially as a second set of eyes then independently for scoped areas.

• Help improve signal-to-noise in SAST/DAST: tune rules reduce duplicates and document triage guidance that developers can follow.

• Support lightweight threat modelling sessions alongside the Architect (prep note-taking translating outcomes into engineering actions).

90 Days

• Independently handle routine AppSec support for agreed scope (e.g. first-pass triage basic secure design guidance follow-ups with teams) escalating appropriately.

• Deliver tangible process improvements that reduce friction (e.g. clearer severity rubric a repeatable intake template a common findings fix guide).

• Demonstrate steady throughput on findings: consistent triage quality meaningful developer support and reduced turnaround time for the scoped area.

• Contribute to a secure-by-default library/SDK.

Required Experience:

IC