Principal Software Engineer - Security Engineer

Job Introduction

The BBC’s digital products reach more than 500 million people every week and are trusted globally as a source of news, entertainment and education. That trust is built not only on our editorial standards, but also on the security, reliability and resilience of the systems behind every stream, story and service.

In Engineering Enablement, we’re the team that makes secure, high-velocity delivery possible. We build shared cloud platforms, developer tooling and guardrails that let hundreds of product teams ship confidently and sustainably.

We’re hiring a Principal Software Engineer - Security Engineer to help us embed secure-by-design thinking across the BBC. You’ll work hands-on with engineering teams, applying InfoSec-led policies and architecture in delivery contexts. You’ll support threat modelling, promote secure coding practices, and help scale Secure SDLC across the organisation - without reinventing governance or duplicating policy.

It’s a high-trust role with real impact: translating strategic security direction into pragmatic, actionable implementation that helps our teams deliver safely at scale.

Interview process

• Stage 1: Technical Deep Dive (60 mins)
  Walk us through your experience delivering secure systems, discuss a real-world scenario, and complete a short security-focused code or design review.
• Stage 2: Collaboration & Influence (60 mins)
  Explore how you collaborate with central security teams, enable secure engineering at scale, and support adoption of policies across delivery teams.

No prep required beyond a few examples of your work. 

Main Responsibilities

As a Principal Software Engineer - Security Engineer, you’ll work hands-on with product and platform teams across the BBC to embed secure engineering practices that align with InfoSec direction and policies.

• Drive secure-by-design implementation across infrastructure and applications, ensuring delivery aligns with BBC security policy and architectural guidance.
• Promote secure SDLC practices across engineering teams, collaborating with InfoSec on shared tooling, templates and enablement.
• Help teams adopt secure coding standards and integrate automated security checks (SAST, DAST, dependency scanning) into CI/CD pipelines.
• Participate in threat modelling using InfoSec-led methodologies and coordinate validation and review workflows.
• Review technical designs, proposals and code for alignment with security policies, architecture patterns and assurance requirements.
• Act as a bridge between InfoSec and delivery teams - supporting direct collaboration, not acting as a gatekeeper.
• Feed real-world engineering insight back into InfoSec governance and assurance forums.
• Champion secure development and operations practices, coaching teams and scaling adoption through reusable patterns and guidance.
• Partner with infrastructure teams on security operations needs such as hardening, logging and incident readiness.
• Stay ahead of emerging threats and technologies and share relevant insights across the BBC.

Are you the right candidate for the role?

We hire for potential and impact. If most of the statements below describe you, we’d love to hear from you:

• You have a strong track record in software engineering with a focus on application and infrastructure security, ideally in agile or DevOps environments.
• You’re fluent in secure development concepts - comfortable with OWASP Top 10, CWE and common secure design patterns.
• You’ve helped teams adopt secure SDLC practices, working closely with central security or architecture groups.
• You know how to embed tools like SAST, DAST, secrets detection and dependency scanning into CI/CD pipelines, and have the scars to prove it.
• You’ve worked with complex, multi-tenant cloud platforms - ideally on AWS - and understand shared services, infra-as-code and central governance models.
• You’ve built secure infrastructure and enforced compliance in the cloud, not just designed it on paper.
• You can translate InfoSec policy into pragmatic implementation without reinventing it - and you’re trusted by both engineers and architects.
• You collaborate naturally, earning trust from delivery teams and central stakeholders alike.
• You communicate clearly and credibly - whether explaining risk trade-offs to a squad or feeding technical insight into an assurance board.

It’s a bonus if you’ve also:

• Facilitated or contributed to threat modelling sessions using frameworks like STRIDE or DFDs.
• Reviewed designs and code with a security lens and an eye for policy alignment.
• Navigated delivery in regulated, public service or high-trust environments.
• Been involved in incident response or risk assessment processes.