Applications Security Engineer

RealVNC
Cambridge, United Kingdom
yesterday

Role details

Contract type
Permanent contract
Employment type
Full-time (> 32 hours)
Working hours
Regular working hours
Languages
English
Experience level
Intermediate

Job location

Remote
Cambridge, United Kingdom

Tech stack

Java
Microsoft Windows
API
Artificial Intelligence
Android
iOS
Apple Mac Systems
Software System Penetration Testing
Burp Suite
C++
Code Review
Computer Security
Linux
DevOps
Mobile Application Software
Python
Systems Development Life Cycle
Secure Coding
Software Engineering
SQL Injection
Software Security
Cyber Threat Analysis
Cross-Site Scripting (XSS)
Deployment Automation
Synopsys Black Duck
Devsecops
Static Application Security Testing
Vulnerability Analysis
Dynamic Application Security Testing

Job description

We are seeking a highly skilled Applications Security Engineer to join our Cyber Security team, helping to ensure security is embedded throughout the Software Development Lifecycle (SDLC). This is a hands-on technical role: we need someone who can identify, analyse, and help mitigate vulnerabilities in our applications throughout the development lifecycle. This role exists to protect our customers and reputation by making sure security is tested into our products before they ship. You will work closely with Security, Development and QA teams to embed robust, evidence-based security practices throughout our software delivery process., * Conduct manual penetration testing and vulnerability assessments across various environments including web, API, desktop and mobile applications.

  • Execute Dynamic Application Security Testing (DAST) on running applications, focusing on XSS, SQL Injection, Broken Access Control etc., manually confirming exploitability beyond what scanners or AI analysis reports.
  • Use Interactive Application Security Testing (IAST) tools for runtime analysis, such as Burp Suite, OWASP ZAP, Frida, applying hands-on technique to validate and extend automated results.
  • Conduct Static Application Security Testing (SAST) and Software Composition Analysis (SCA) on source code and binaries, manually triaging findings to separate real risk from noise, using AI tools to accelerate initial triage where helpful.

Secure Design & Threat Modelling

  • Ensure the foundation is secure from the start by conducting threat modelling and risk assessments during design phases.
  • Provide security requirements for new features and architecture reviews.

Development & Code Assurance

  • Perform secure code reviews and advise developers on ensuring security best practises are followed.
  • Make use of AI-assisted code review tools to speed up initial passes, while personally validating any flagged issue against actual code behaviour.
  • Collaborate with engineering teams to integrate security into development workflows.

Deployment & Monitoring

  • Partner with DevOps to advise on secure configurations and hardening in production environments.
  • Support incident response and remediation of application-level vulnerabilities.

Threat Intelligence, Governance & Training

  • Keep up to date with industry news, vulnerability announcements and guidelines.
  • Deliver secure coding training and promote a positive security posture., * Leveraging AI to help drive efficiency in day-to-day workflows.
  • Exploit development activities, such as exploiting buffer overflows, crafting shellcode or analysing patches.
  • Knowledge and understanding of Cyber Security frameworks such as NIST Cybersecurity Framework.
  • Regulatory compliance - knowledge of GDPR, ISO-27001 and SOC2.
  • Details of any security-based qualifications., We work in a hybrid environment where employees combine working remotely and working from the office to facilitate a high-performance working environment - with the ability to collaborate effectively and build a cohesive team bond whilst being able to focus and deliver quality results. With this in mind, you will need to easily be able to commute to Cambridge and / or London.

Requirements

You;

  • Have hands-on experience with DAST, IAST and penetration testing tools (e.g., Burp Suite, OWASP ZAP, Frida), and can manually identify and exploit vulnerabilities beyond what these tools surface automatically.
  • Can demonstrate independent, hands-on technical ability, for example through CTF experience, bug bounty history, HackTheBox/TryHackMe rankings, or a technical portfolio, rather than relying on AI-assisted tooling to do the analysis for you.
  • Have 3-5 years' experience in an application security, penetration testing, or software engineering role with a strong security focus.
  • Have a strong understanding of secure SDLC and DevSecOps principles.
  • Strong understanding of application security principles and common vulnerabilities (e.g., XSS, SQL Injection, Broken Access Control).
  • Have experience with Static Application Security Testing (SAST).
  • Have practical experience using software composition analysis (SCA) tools such as Blackduck, Mend/Whitesource, Snyk or similar.
  • Can easily explain complex security concepts to non-technical stakeholders and write clear security reports.
  • Work well with a wide range of stakeholders as part of a cross-functional team, including system administrators, developers, network engineers and information security compliance.
  • Have proficiency in secure coding practices (Java, Python, C++ or similar).
  • Are familiar with common Operating Systems - Windows, Linux, macOS, Android and iOS.

Benefits & conditions

Pulled from the full job description

  • Company pension
  • Car scheme, This role offers a great opportunity to join our Cyber Security team, working for a successful, growing company with a recognised global brand and huge potential and vision. Working with us on our growth journey provides the chance to see first-hand how your individual contributions as part of a dynamic team influence the success of our business. We want to see you grow with us. We're committed to creating a culture where contributions are recognised, careers grow and people thrive together. Through a clear career framework and ongoing development, we can help you unlock your full potential.

We also offer generous benefits, including a contributory pension, EV car leasing scheme, private dental and medical cover.

About the company

RealVNC is the remote access platform for engineers looking for the most reliable and the most secure solution built by the creators of VNC technology. Over the last 25 years, as the inventors of VNC, we've enabled a global workforce to work wherever works and created the remote access market. Our software is used by hundreds of millions of users worldwide including IT professionals from global companies, such as Intel, IBM, NASA, Shell, DreamWorks and Philips. Our lead product, VNC Connect, allows users to connect securely to a remote device anywhere in the world, see its screen in real-time, and take control as though sitting in front of it. The product has been deployed across a myriad of use cases, from remote support through to deploying the software onto connected devices such as medical ventilators, set-top boxes, heavy industrial machinery and more. Backed by leading mid-market private equity firm, Livingbridge since 2021, we are investing in our people to support our highly ambitious growth plans. As part of our people strategy to develop our next generation organisation, we are looking to add new team members that are integral to the success of the business, committed to delivering high quality results, collaboration and innovation to help accelerate company growth., RealVNC has a responsibility to ensure that all staff are eligible to live and work in the UK and if you're invited to interview you'll be required to provide proof of your eligibility to work. RealVNC is an equal opportunities employer, committed to staff welfare and professional development. Staffing and Recruitment Agencies To all Staffing and Recruiting Agencies: Our website is only intended for individuals and preferred suppliers of RealVNC. Staffing and recruiting agencies and individuals being represented by an agency that is not a preferred supplier are not authorized to use this site or to submit profiles, applications or CVs, or to forward CVs directly to employees or any other company location, and any such submissions will be considered unsolicited. RealVNC does not accept unsolicited CVs or applications from agencies other than preferred suppliers. RealVNC is not responsible for any fees related to unsolicited CVs or applications and explicitly reserve its right to contact candidates presented in such unsolicited CV or application.

Apply for this position