Gerrards Cross (Hybrid or remote)
Do you want to help shape software that affects thousands of lives?
About the Company
We are the UK’s #1 construction‑specific software player, delivering market‑leading end‑to‑end solutions across the build life cycle. Our teams are based in the UK, Europe, and India, working on products used globally. We are committed to diversity and equality and build a culture of inclusion.
Purpose
This senior, people‑focused role sits at the intersection of secure software engineering, application security, and enterprise cyber operations. You will lead the strategy and hands‑on execution for AppSec across a broad technology stack, partner with engineers to remediate complex vulnerabilities (first‑party code and third‑party libraries), run and improve offensive security and vulnerability management practices, and ensure alignment with ISO 27001, CE+, SOC 2 and internal standards. A core expectation is to coach and upskill teams, embedding security by design and accelerating safe delivery.
Key Responsibilities
* AppSec program uplift: standardise and embed SAST/DAST/SCA across CI/CD with clear policies, SLAs and reporting.
* Risk reduction: demonstrable reduction in critical/high vulnerabilities, with improved time‑to‑remediate quarter‑on‑quarter.
* Developer enablement: launch a secure‑coding, threat‑modelling, and vulnerability‑triage training programme with >90% adoption in priority teams.
* Zero‑day readiness: define and test playbooks; establish cross‑functional war room capability.
* Governance: create metrics and KPI/KRI dashboards for executive and board‑level reporting.
* Leadership & strategy: own the application‑security roadmap, align with business risk and compliance obligations, and influence senior engineering leadership on architecture decisions.
* Tooling & platform enablement: administer and optimise AppSec and vulnerability tools (Mend, Qualys, Tenable, Defender for Endpoint, etc.) and integrate them into CI/CD and developer workflows.
* Offensive security: coordinate penetration testing, validate findings, partner with product teams to track remediation.
* Incident readiness: lead zero‑day response, support incident investigations, run tabletop exercises, and provide security input to policies and customer questionnaires.
Qualifications & Experience
* Proven background in software engineering (e.g., .NET, Java, JavaScript/TypeScript, Python) and secure coding practices.
* Strong experience integrating SAST/DAST/SCA controls into CI/CD pipelines.
* Hands‑on penetration testing and vulnerability management (OWASP, Burp Suite, ZAP, Qualys, Tenable).
* Experience securing workloads in AWS, Azure and/or GCP; familiarity with cloud‑native controls.
* Knowledge of ISO 27001, NIST, CE+, SOC 2 and secure SDLC/DevSecOps practices.
* Influential communicator, coach/mentor, pragmatic problem‑solver.
* Certifications such as OSCP, GWAPT, CSSLP, CISSP, CISM, or cloud security (AWS Security Specialty, AZ‑500) are a plus.
Tools & Technologies
* SCA: Mend (preferred), Snyk.
* SAST/DAST: SonarQube, Burp Suite, ZAP.
* Vulnerability Management: Tenable, Defender for Endpoint.
* CI/CD & DevOps: GitHub/GitLab/Azure DevOps, Jira, Terraform, Kubernetes.
* Web Application Firewalls.
What We Offer
* 25 days annual leave + public holidays, increasing with service.
* 4% matched pension.
* Income protection and life assurance.
* Access to award‑winning benefits platform.
* Dedicated EAP 24/7 and emphasis on mental health.
* £100 allowance for fitness club.
* Dell discounts, private medical insurance, paid study leave and volunteering days, car scheme.
We drive a culture of United, Agile, Trusted and Driven values. We support work‑life balance with hybrid work options and modern collaborative offices. Join us to shape software that impacts thousands and grow your career with an award‑winning company.
#J-18808-Ljbffr