Applications Security Engineer

RealVNC is the remote access platform for engineers looking for the most reliable and the most secure solution built by the creators of VNC technology. Over the last 25 years, as the inventors of VNC, we've enabled a global workforce to work wherever works and created the remote access market. Our software is used by hundreds of millions of users worldwide including IT professionals from global companies, such as Intel, IBM, NASA, Shell, DreamWorks and Philips.

Our lead product, VNC Connect, allows users to connect securely to a remote device anywhere in the world, see its screen in real-time, and take control as though sitting in front of it. The product has been deployed across a myriad of use cases, from remote support through to deploying the software onto connected devices such as medical ventilators, set-top boxes, heavy industrial machinery and more.

Backed by leading mid-market private equity firm, Livingbridge since 2021, we are investing in our people to support our highly ambitious growth plans. As part of our people strategy to develop our next generation organisation, we are looking to add new team members that are integral to the success of the business, committed to delivering high quality results, collaboration and innovation to help accelerate company growth.

Position:

We are seeking a highly skilled Application Security Engineer to join our Cyber Security team helping to ensure security is embedded throughout the Software Development Lifecycle (SDLC). This role focuses on identifying, analysing, and mitigating vulnerabilities in our applications throughout the development lifecycle. The successful candidate will work closely with security, development and QA teams to ensure robust security practices are embedded in our software delivery process.

Key responsibilities include;

Secure Design & Threat Modelling:

• Ensure the foundation is secure from the start by conducting threat modelling and risk assessments during design phases.
• Provide security requirements for new features and architecture reviews.

Development & Code Assurance:

• Perform secure code reviews and advise developers on CIS Critical Security Controls and OWASP Top 10 compliance.
• Collaborate with engineering teams to integrate security into development workflows.

Testing & Automation:

• Execute Dynamic Application Security Testing (DAST) on running applications, focusing on XSS, SQL Injection, Broken Access Control etc.
• Use Interactive Application Security Testing (IAST) tools for runtime analysis, such as Burp Suite, OWASP ZAP, Frida.
• Conduct Static Application Security Testing (SAST) and Software composition analysis (SCA) on source code and binaries.
• Conduct testing and vulnerability assessments across desktop, web and mobile applications.

Deployment & Monitoring:

• Partner with DevOps to advise on secure configurations and hardening in production environments.
• Support incident response and remediation of application-level vulnerabilities.

Threat Intelligence, Governance & Training:

• Keep up to date with industry news, vulnerability announcements and guidelines.
• Deliver secure coding training and promote a positive security posture.

Requirements:

You;

• Have a strong understanding of secure SDLC and DevSecOps principles.
• Strong understanding of application security principles and common vulnerabilities (e.g., XSS, SQL Injection, Broken Access Control).
• Have proficiency in secure coding practices (Java, Python, C++ or similar).
• Have hands-on experience with DAST, IAST and penetration testing tools (e.g., Burp Suite, OWASP ZAP, Frida).
• Have experience with Static Application Security Testing (SAST).
• Have practical experience using software composition analysis (SCA) tools such as Blackduck, Mend/Whitesource, Snyk or similar.
• Can easily explain complex security concepts to non-technical stakeholders and write clear security reports.
• Work well with a wide-range of stakeholders as part of a cross-functional team, including system administrators, developers, network engineers and information security compliance.
• Are familiar with common Operating Systems - Windows, Linux, MacOS, Android and iOS.

We would also like to know about any of the following;

• Exploit development activities, such as exploiting buffer overflows, crafting shellcode or analysing patches.
• Knowledge and understanding of Cyber Security frameworks such as CIS Critical Controls v8 and NIST Cybersecurity Framework.
• Regulatory compliance - knowledge of GDPR, ISO-27001 and SOC2.
• Knowledge of encryption methods and best practices for protecting sensitive data.
• Previous experience in a security-based role.
• Details of any security-based qualifications.

Other information:

Benefits
This role offers a great opportunity to join our Cyber Security Team, working for a successful, growing company with a recognised global brand and huge potential and vision. Working with us on our growth journey provides the chance to see first-hand how your individual contributions as part of a dynamic team influence the success of our business. We want to see you grow with us. We're committed to creating a culture where contributions are recognised, careers grow and people thrive together. Through a clear career framework and ongoing development, we can help you unlock your full potential.

We also offer generous benefits, including a contributory pension, EV car leasing scheme, private dental and medical cover.

We work in a hybrid environment where employees combine working remotely and working from the office to facilitate a high-performance working environment – with the ability to collaborate effectively and build a cohesive team bond whilst being able to focus and deliver quality results. With this in mind, you will need to easily be able to commute to Cambridge and / or London.

How To Apply
If you'd like to join RealVNC as an Applications Security Engineer, please click on the 'apply for this job' button and fill in your details.

RealVNC has a responsibility to ensure that all staff are eligible to live and work in the UK and if you're invited to interview you'll be required to provide proof of your eligibility to work.

RealVNC is an equal opportunities employer, committed to staff welfare and professional development.

Staffing and Recruitment Agencies
To all Staffing and Recruiting Agencies: Our website is only intended for individuals and preferred suppliers of RealVNC. Staffing and recruiting agencies and individuals being represented by an agency that is not a preferred supplier are not authorized to use this site or to submit profiles, applications or CVs, or to forward CVs directly to employees or any other company location, and any such submissions will be considered unsolicited.

RealVNC does not accept unsolicited CVs or applications from agencies other than preferred suppliers. RealVNC is not responsible for any fees related to unsolicited CVs or applications and explicitly reserve its right to contact candidates presented in such unsolicited CV or application.