About the company
a software product security role (often called product security engineer or prod sec) is the bridge between traditional cybersecurity and software engineering. Unlike it security, which focuses on protecting the company's internal network, product security focuses on ensuring the software the company sells or provides is resilient against attacks.
about the role
the product security engineer works directly with dev ops and engineering teams to bake security into the software development life cycle (sdlc). The goal is to move security "left"—finding and fixing vulnerabilities during the design and coding phases rather than after the product has launched.
responsibilities
secure design & threat modeling: reviewing new features before a single line of code is written. You'll identify potential attack vectors and suggest mitigations. Vulnerability management: triaging bugs found via automated scanners, internal audits, or bug bounty programs. Security tooling: implementing and managing tools like sast (static analysis), dast (dynamic analysis), and sca (software composition analysis) to catch insecure dependencies. Code reviews: performing manual "deep dives" into critical codebases to spot logic flaws that automated tools might miss. Incident response: acting as a subject matter expert when a security flaw is exploited in production. Internal red teaming: lead activities to find ways to bypass the logic to alter "recipe" files or production data. Developer training: creating "security champions" programs to teach engineers how to write defensive code.
qualifications
proficiency in at least one "product" language (c# (. Net core), java script, sql). Deep understanding of the owasp top 10 (sqli, xss, csrf) and cloud security (aws/azure/gcp). Experience with snyk, checkmarx, burp suite, or git hub advanced security. Familiarity with docker, kubernetes, and ci/cd pipelines (jenkins, git lab ci).
required skills
proficiency in at least one "product" language (c# (. Net core), java script, sql). Deep understanding of the owasp top 10 (sqli, xss, csrf) and cloud security (aws/azure/gcp). Experience with snyk, checkmarx, burp suite, or git hub advanced security. Familiarity with docker, kubernetes, and ci/cd pipelines (jenkins, git lab ci).
preferred skills
experience with snyk, checkmarx, burp suite, or git hub advanced security. Familiarity with docker, kubernetes, and ci/cd pipelines (jenkins, git lab ci).
pay range and compensation package
this isn't a "gatekeeper" role. To be successful, you have to be a collaborative problem-solver. Developers often see security as a hurdle; your job is to make the "secure way" the "easy way." If you enjoy breaking things to learn how to fix them, you'll love prod sec.
equal opportunity statement
i'm looking for "security engineers" who can actually code and contribute to the repository, rather than just pointing out problems and leaving.