Senior Application Security (AppSec) Engineer

About Zego

At Zego, we understand that traditional motor insurance holds good drivers back. It's too complicated, too expensive, and it doesn't reflect how well you actually drive. Since 2016, we have been on a mission to change that by offering the lowest priced insurance for good drivers.

From van drivers and gig workers to everyday car drivers, our customers are the driving force behind everything we do. We've sold tens of millions of policies and raised over $200 million in funding. And we’re only just getting started.

Overview of our Engineering Team

Zego puts technology first in its mission to define the future of the insurance industry. By focusing on our customers' needs we're building the flexible and sustainable insurance products and services that they deserve. And we do that by empowering a diverse, resourceful, and creative team of engineers that thrive on challenge and innovation.

Overview of the role

• You will play a key role in shaping the future of Security at Zego.
• You will be part of the team ultimately responsible for the security of the Zego services
• You will collaborate closely with Product Engineering, Technical Operations, DPO, Information Security and Compliance to help build secure products and services
• You will champion agile methodologies, metrics and tooling to support the teams in incrementally improving our security posture

Key Responsibilities

• Collaborate closely with product and technical operations teams to identify and mitigate vulnerabilities across our technology stack.
• Partner with product engineers to explore innovative ways to safeguard customer data.
• Influence the development of security tools, processes, and culture to enhance our overall security posture.
• Streamline developer workflows by optimising security remediation processes, driving efficiency, and improving resolution times.
• Champion secure coding practices through code reviews, mentoring, and active collaboration with development teams.
• Develop and maintain security-related documentation, including policies, procedures, and guidelines for both application and infrastructure security.
• Respond to security incidents, working with the engineering team to ensure timely and effective resolution.
• Cultivate a security-first mindset through knowledge sharing, internal guilds, and external engagement at meet-ups and conferences.
• Support external security audits, assessments, certifications, and penetration testing initiatives.

What you will need to be successful in the Role

We are looking for engineers who embrace the DevOps culture to deliver continuous improvements to our security posture. Engaging and empowering the teams to drive change leveraging metrics and championing automation and observability.

What you'll bring to the Team

• Strong knowledge of secure coding practices, secure software design principles, and secure software supply chain best practices in production environments.
• Proven experience collaborating with software development teams, with an understanding of their workflows and challenges.
• Proficiency in at least two programming languages such as Python, Scala, Node, Swift, or Kotlin.
• Deep understanding of web application vulnerabilities, with practical experience applying OWASP guidelines and best practices.
• Hands-on experience in managing application vulnerabilities, including identification, triaging, qualification, reporting, performing code reviews, and conducting remediation validation tests.
• Expertise in performing root cause analysis for discovered vulnerabilities.
• Experience integrating SAST/DAST/IAST/SCA toolchains into development workflows, along with maintaining these tools.
• Skilled in using security testing tools such as Burp Suite or ZAP.
• Experience coordinating and facilitating external web application penetration testing.
• Ability to clearly communicate complex technical concepts to non-technical audiences.

If possible, we'd also love you to have

• Experience with mobile security.
• Familiarity with AWS cloud environments.
• Knowledge of containers and Kubernetes.
• Experience with Terraform.
• Proficiency in Git and GitOps practices.

How we work

We believe that teams work better when they have time to collaborate and space to get things done. We call it Zego Hybrid.

Our hybrid way of working is unique. We don't mandate fixed office days. Instead, we foster a flexible approach that empowers every Zegon to perform at their best. We ask you to spend at least one day a week in our central London office. You have the flexibility to choose the day that works best for you and your team. We cover the costs for all company-wide events (3 per year), and also provide a separate hybrid contribution to help pay towards other travel costs. We think it’s a good mix of collaborative face time and flexible home-working, setting us up to achieve the right balance between work and life.

Benefits

We reward our people well. Join us and you’ll get a market-competitive salary, private medical insurance, company share options, generous holiday allowance, and a whole lot of wellbeing benefits. And that’s just for starters.

We are an equal opportunity employer and value diversity at our company. We do not discriminate on the basis of race, religion, national origin, gender, sexual orientation, age, marital status, or disability status.

#LI-Hybrid

#LI-IL1