Senior Software Security Engineer

The Senior Software Security Engineer will analyze software designs and implementations for security, identifying and remediating issues throughout the SDLC. This role involves performing threat modeling, security code reviews, and supporting engineering teams in defining security requirements. The engineer will also define and oversee the deployment of automated security testing tools, conduct manual penetration testing, and manage vulnerabilities. Key responsibilities include establishing secure coding standards, integrating DevSecOps principles into CI/CD pipelines, and supporting incident response processes to ensure product compliance with security standards.

Must Have

• Perform threat modeling, risk assessments, and architecture reviews.
• Support engineering teams on detailed security requirements.
• Perform security code reviews.
• Define and oversee deployment of SCA, SAST, DAST, and Secret Detection tools.
• Conduct manual penetration testing of web applications.
• Triage and validate findings from automated security scanning tools.
• Assess vulnerability risk and communicate issues to stakeholders.
• Establish and maintain secure coding standards and best practices.
• Assist with implementing secure CI/CD pipelines using DevSecOps.
• Support product security incident response processes.
• Monitor emerging security threats and integrate new protections.
• Ensure products comply with relevant security standards (OWASP, NIST).

Good to Have

• Manual penetration testing skills in cloud infrastructure, embedded/OS or mobile.
• Familiarity with security considerations for AI/ML systems.
• Understanding of distributed systems design, implementation and operation.
• Understanding of privacy threats and controls.
• Exploit development experience.
• Experience with enterprise log collection and analysis platforms (e.g., Splunk, OSQuery).
• Master's degree or equivalent experience preferred.
• Security certifications (OSCP, OSEE, SANS/GIAC, CCSP, CISSP).
• Experience in a high-growth technology environment or SaaS business.

Perks & Benefits

• Contract of Employment (UoP)
• Private medical coverage
• Multisport
• Life insurance (two annual incomes)
• Employee Stock Purchase Plan – 15% discount for buying Motorola’s Stock units
• Employee Pension Plan – 3,5 % of the month’s salary gross, which goes to the retirement account
• IP Tax Relief (up to 50%)
• Yearly salary increase (depends on individual performance)
• Yearly bonus (depends on company performance)
• UK working hours (working day between 10-18)
• 8 hours working day (30 minutes lunch break included)
• Hybrid/ remote work

This role is primarily hybrid, with occasional travel to our Krakow office.

Responsibilities

Security Design and Implementation

• Perform threat modelling, risk assessments, and architecture reviews to identify and mitigate risk.
• Support the engineering teams on definition on detailed security requirements to meet compliance requirements and industry best practices.
• Perform security code reviews looking for potential security vulnerabilities.
• Act as a subject matter expert to advise and answer questions from engineering and compliance teams on technical product security matters.

Security Testing

• Define and oversee the deployment of Software Composition Analysis (SCA) tools to compile SBOMs of software components, helping to identify known vulnerabilities and license compliance violations.
• Define and oversee the deployment of automated security testing tools into CI pipelines, including Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), and Secret Detection scanning tools.
• Manual penetration testing of web applications (backend and frontend).Manual penetration testing skills in the domains of cloud infrastructure, embedded/OS or mobile are desirable.
• Write custom scripts or unit test cases to check for vulnerabilities or broken/missing security controls.
• Recommend improvements to existing security scanning tools and processes, and propose new ones.

Vulnerability Management

• Periodically triage the findings from the automated security scanning tools.
• Validate potential security vulnerabilities to determine whether they are actual true positives, or false positives (i.e. non-applicable) in the product context. Write proof of concept exploits when necessary to achieve this.
• Assess the risk of vulnerabilities and threats in order to help the business determine their remediation priority order.
• Communicate the identified security issues to engineering and compliance stakeholders, and manage them throughout the SDLC process to ensure they are properly addressed.

SDLC and DevSecOps Integration

• Establish and maintain secure coding standards, baseline product security requirements and more general best practices to provide guidance to development teams.
• Assist the program area with implementing a secure Continuous Integration/Continuous Delivery (CI/CD) pipeline utilizing DevSecOps principles and practices to increase automation.
• Implement automated security controls as part of CI/CD pipelines.

Incident Response and Compliance

• Support product security incident response processes, including root cause analysis (identify the affected product components, data, and the overall impact level) and definition of mitigation strategies.
• Define clear criteria and protocols for security incident response.
• Conduct post-incident analysis to compile lists of lessons learned, and measures to prevent similar incidents from reoccurring, and refine response strategies.
• Monitor emerging security threats, vulnerabilities, and trends to proactively investigate, remediate, and integrate new protections.
• Ensure products comply with relevant security standards, certifications, and regulations (e.g., OWASP, NIST).

Basic Requirements

Required Qualifications

Experience and Education

• 5+ years of experience in Security Engineering with a focus on product security and/or application security.
• Bachelor’s degree in Computer Science, Information Security, or a related technical field.
• Good verbal and written English communication.

Technical Skills

• In-depth knowledge of Linux and Docker container-based infrastructures, including their orchestration (e.g. Kubernetes).
• Working knowledge of techniques, standards, and state-of-the-art authentication and authorization technologies, applied cryptography, security vulnerabilities and remediations.
• Significant software development experience. Experience in Go (our main backend language), Typescript/Javascript, C/C++, Python and Bash is desirable.
• Working knowledge of web-related protocols and technologies (HTTP, REST APIs, DOM, CSP), networking protocols (IP, TCP, UDP), and security protocols (TLS).
• Experience in performing threat modeling, with a good grasp of common threat vectors and frameworks.
• Strong knowledge of security principles, best practices, and industry standards, such as NIST, ISO 27001, and CIS Critical Security Controls, OWASP ASVS and Testing Guides.
• Familiarity with industry-standard security frameworks such as OWASP and NIST.
• Experience with security tools such as SAST, DAST, IAST, and SCA.
• Exceptional analytical and investigative skills, with hands-on experience in root cause analysis.
• Knowledge of current and emerging threats and techniques for exploiting security vulnerabilities.
• Experience with CI/CD pipeline, security tools integration, and secure SDLC.
• Experience with cloud-based infrastructure (AWS, Azure, or Google Cloud), and on best practices on how to secure cloud environments.

Desirable Qualifications

Advanced Expertise

• Familiarity with security considerations for AI/ML systems is desirable.
• Understanding of distributed systems design, implementation and operation.
• Understanding of privacy threats and controls, including on how to adapt generic best practices to specific scenarios in the product by providing detailed specifications to stakeholders.
• Exploit development experience, and good understanding of the necessary conditions to trigger different vulnerability types, and the maximum impact achievable.
• Experience with enterprise log collection and analysis platforms (e.g., Splunk, OSQuery).

Education and Certifications

• Master's degree or equivalent experience preferred.
• Security certifications are a plus, including OSCP, OSEE, SANS/GIAC, CCSP, and CISSP.

Soft Skills and Leadership

• Excellent verbal and written communication, with the ability to translate complex security concepts to technical and non-technical stakeholders.
• Demonstrated ability to design, document, and implement new security processes.
• Experience in a high-growth technology environment or SaaS business.
• Ability to remain calm under pressure, especially during incidents or audits.

In return for your expertise, we’ll support you in this new challenge with coaching & development every step of the way. Also, to reward the hard work, you’ll get:

• Contract of Employment (UoP)
• Private medical coverage, Multisport
• Life insurance (two annual incomes),
• Employee Stock Purchase Plan – 15% discount for buying Motorola’s Stock units,
• Employee Pension Plan – 3,5 % of the month’s salary gross, which goes to the retirement account
• IP Tax Relief (up to 50%)
• Yearly salary increase (depends on individual performance)
• Yearly bonus (depends on company performance)
• UK working hours (working day between 10-18),
• 8 hours working day (30 minutes lunch break included).
• Hybrid/ remote work

Travel Requirements

Under 10%

Relocation Provided

None

Position Type

Experienced

Referral Payment Plan

Yes