Join DevX and Tooling to make Developer Experience safer and faster. You'll build secure-by-default tooling, templates and pipeline checks that fit engineers' day-to-day, run key GitHub security capabilities at scale, and surface meaningful signals that show impact. Your work reduces friction while strengthening the BBC's Secure SDLC.
Responsibilities
* Operate GitHub Advanced Security at scale - CodeQL code scanning, secret scanning and push protection with sensible policies and triage flows.
* Own Dependabot strategy - safe update policies, grouping/auto-merge where appropriate, PR hygiene and actionable alerting.
* Integrate security automation into CI/CD - gating checks in GitHub Actions or equivalents with auditable exceptions.
* Build reusable secure templates, libraries and policy-as-code guardrails for services, pipelines and Infrastructure as Code.
* Support threat modelling and design reviews; translate outcomes into repeatable checks and templates.
* Contribute to DevX tools and services with high-quality code, tests, docs and reviews; instrument controls to surface useful signals.
* Integrate with monitoring and incident tooling; participate in incident response for DevX services when required. GitHub Advanced Security at scale - administer CodeQL, secret scanning and push protection; set org/repo policies and triage workflows developers will use.
* Dependabot expertise - design update and alerting strategy to keep dependencies fresh without churn.
* CI/CD security automation - integrate and tune gating checks; manage exceptions with auditability.
* Software supply chain security - SBOM generation/verification, artefact signing and provenance; pragmatic CVE triage.
* Secure coding in at least two of Node.js, Python, Java, with rigorous reviews focused on auth, input handling and error handling; produce reusable secure templates.
* Hands on Experience building, deploying and running solutions on AWS.
Desired But Not Required
* IaC and cloud hardening - Terraform/CloudFormation security, policy-as-code and secure defaults for IAM, networking and secrets.
* SLSA or similar supply-chain frameworks; build system hardening and release hygiene.
* AI-assisted developer tooling (e.g. GitHub Copilot, code assistants/agents) - understand risks like prompt injection, data exfiltration and insecure suggestions; design guardrails, policies and CI/CD checks.
* Developer-centred security UX - paved roads, reusable templates and docs that reduce friction and false positives.
* Incident response for developer tooling - runbooks, tabletop exercises and security-focused post-incident reviews.
#J-18808-Ljbffr