Find More Than 10K+
United Kingdom Jobs

Security Engineer

Hybrid - working from home with occasional visits to a BCA location

Up to £75,000 per annum + bonus + benefits

40 hours per week Monday - Friday

Constellation Automotive Group is the largest vertically integrated digital car marketplace in Europe, with over 15,000 staff and a turnover in excess of £12 billion per year combining the leading digital brands across the segments of consumer to business, business to business and business to consumer.

Security is at the heart of everything we do and Constellation Automotive Group is actively expanding and improving Cyber Security throughout our business and supply chain. Want to join us on our journey?

We're looking to recruit a Security Engineer, as part of the Chief Information Security Office for the Constellation Automotive Group (CAG), working within a squad to design, develop and deliver best-in-breed security tooling and integrations between internal and external security tooling.

The Security Engineer will play an integral role in implementing technical knowledge into the wider security team while supporting the non-security engineering aspects of the group in the removal of security issues, vulnerabilities, legacy, and operational inefficiencies within the product space.

The role will be required to grow, support and management of a team that is focused on guiding security by design principles, creating guardrails within commonly used technologies explaining to internal and external stakeholders the path to improvement within this area asked for or supplied by the Chief Information Security Office service.

Reporting to the Head of Product Security and Engineering, the Product Security Engineer will help guide the business to gain more efficiency from the currently used toolset, and the risks of any control gaps brought through bad design. As well as acting as a driver for shift left the security practices within engineering and championed security to enable philosophies within the group.

This role is a new role and is developing, the candidate must be comfortable with the role developing over time and has the ability to help guide the responsibilities of the job. Due to this certain responsibilities are tagged as a future state.

Key Responsibilities

• Work with the Security Engineering and product teams to develop and maintain relevant security architecture artefacts (e.g. models, templates, standards and procedures) that are reusable by design
• Fostering collaboration between teams, squads, and wider Group Stakeholders.
• Threat model current threats against suggested product designs or changes
• Maximise the visibility of security flaws, control weaknesses, technical debt, and data flow in the current production environments.
• Create and run experiments into new methods and technologies within the security and how most efficiently embed new security technology.
• Research security enhancements that can be implemented from engineering aspects
• Collaborating with your peers to define software/infrastructure guardrail and security abstractions
• (future state) Engineering solutions that self-serve on meaningful security metrics lead to faster, safer code in production environments.
• (future state) Building security pipelines, that include SAST, DAST and license analysis for deep insight into early issues before release.
• (future state) Red team test threat models against current technology stake to support the governance, risk and compliance team as well as validate assumptions.

Skills and Experience Needed

• Experience in reviewing code or;
• Experience reviewing network device configurations
• Experience with either; Java, .Net, PHP, Typescript or Swift
• Experience with any of the following is a bonus.
• Equinix
• VMware
• Azure design and practices
• On-prem to cloud migrations or redesign
• Android or IoS application development
• Event modelling and event-driven architecture
• Understanding the importance of observability practices and shifting left practices
• Understanding or experience in the creation of Security technical compliance guardrails
• Understanding Threat Modelling practices against Cloud and Non-Cloud Architecture
• Understanding of DevOps and Software Delivery
• Understanding vulnerability management, triaging and threat modelling
• Experience in development and testing code
• Analytical thinking
• Deep dive into currently used technologies and make clear, easy-to-understand recommendations based on ease of use, reduction of risk and economic models
• Understanding the impact of update, removal, or risk acceptance of supporting party code libraries or existing technologies
• Experience with Control Tower, Security Hub, Sentinel, Elastic and Security centre.
• Maintain excellent stakeholder management and build strong relationships
• Ability to translate technical issues to non-security stakeholders.
• Ability to both self-manage workload and work in a distributed development team environment
• 3 + years of experience in development roles within Java, PHP, .NET or Typescript, or ;
• 3 + years of experience in DevOps, Security engineering or Infrastructure role within Azure or on-prem management of dedicated physical hardware.
• 3 + years working under agile principles.

Our policy is to employ the best qualified people and provide equal opportunity for the advancement of employees including promotion and training and not to discriminate against any person because of gender, race, ethnicity, age, sexual orientation, religion, belief or disability.