Security Engineer

Security Engineer - (EXTEND) Join to apply for the Security Engineer - (EXTEND) role at BBC. This role is advertised as part of our BBC Extend programme for disabled people. To apply you should identify as deaf, disabled or neurodivergent and must meet either the definition of disability in the Equality Act (2010) or the Disability Discrimination Act (1995) if applying in Northern Ireland. You’re broadly defined as disabled under both acts if you have a physical or mental impairment that has a substantial and long‑term negative or adverse effect on your ability to do normal daily activities. BBC is fully committed to providing workplace adjustments to help eliminate barriers that disabled people face. If you are successful in applying for this role and require workplace adjustments, we will work with you to get your adjustments in place. Job band: C. Contract type: Permanent, Full‑time. Department: Product Group - Enablement - Engineering Enablement. Location: London, Cardiff, Salford, Newcastle, Glasgow - Hybrid. Proposed salary range: 50,000-55,000. Purpose of the Role Join DevX and Tooling to make Developer Experience safer and faster. You’ll build secure‑by‑default tooling, templates and pipeline checks that fit engineers’ day‑to‑day, run key GitHub security capabilities at scale, and surface meaningful signals that show impact. Your work reduces friction while strengthening the BBC’s Secure SDLC. Why Join the Team Work where security meets usability. In DevX and Tooling you’ll ship guardrails that developers adopt, prove impact with real usage data, and collaborate with peers who value clear thinking over theatre. You’ll have autonomy, tight feedback loops and the chance to raise the security bar across hundreds of teams. Your Key Responsibilities And Impact Operate GitHub Advanced Security at scale – CodeQL code scanning, secret scanning and push protection with sensible policies and triage flows. Own Dependabot strategy – safe update policies, grouping/auto‑merge where appropriate, PR hygiene and actionable alerting. Integrate security automation into CI/CD – gating checks in GitHub Actions or equivalents with auditable exceptions. Build reusable secure templates, libraries and policy‑as‑code guardrails for services, pipelines and Infrastructure as Code. Support threat modelling and design reviews; translate outcomes into repeatable checks and templates. Contribute to DevX tools and services with high‑quality code, tests, docs and reviews; instrument controls to surface useful signals. Integrate with monitoring and incident tooling; participate in incident response for DevX services when required. Essential Criteria Your Skills and Experience GitHub Advanced Security at scale – administer CodeQL, secret scanning and push protection; set org/repo policies and triage workflows developers will use. Dependabot expertise – design update and alerting strategy to keep dependencies fresh without churn. CI/CD security automation – integrate and tune gating checks; manage exceptions with auditability. Software supply chain security – SBOM generation/verification, artefact signing and provenance; pragmatic CVE triage. Secure coding in at least two of Node.js, Python, Java, with rigorous reviews focused on auth, input handling and error handling; produce reusable secure templates. Hands on Experience building, deploying and running solutions on AWS. Desired But Not Required IaC and cloud hardening – Terraform/CloudFormation security, policy‑as‑code and secure defaults for IAM, networking and secrets. SLSA or similar supply‑chain frameworks; build system hardening and release hygiene. AI‑assisted developer tooling (e.g. GitHub Copilot, code assistants/agents) – understand risks like prompt injection, data exfiltration and insecure suggestions; design guardrails, policies and CI/CD checks. Developer‑centred security UX – paved roads, reusable templates and docs that reduce friction and false positives. Incident response for developer tooling – runbooks, tabletop exercises and security‑focused post‑incident reviews. Before your start date, you may need to disclose any unspent convictions or police charges, in line with our Contracts of Employment policy. This allows us to discuss any support you may need and assess any risks. Failure to disclose may result in the withdrawal of your offer. Seniority Level Mid‑Senior level Employment Type Full‑time Job Function Information Technology Industries Broadcast Media Production and Distribution #J-18808-Ljbffr