Cyber Security Partner

Security Engineer II
About our Security Partners team
We are 15+ and growing team that supports Tesco technology and software development teams across cloud and other cutting-edge technologies at scale. We have a new role as the security engineer for our security partners team based in the UK. The software development teams are responsible for their own security, so we act differently than a traditional security team. We are team of security partners, not security police... and we go as far as calling ourselves as Security Partners, not Security Architects or Engineers.
Our software engineering teams have tremendous freedom in their work and the corresponding responsibility to do the right thing for our customers. Instead of controlling our engineering teams with process and security gates, we enable them to innovate by providing security guidance to make right decisions for Tesco. The good news is that our engineering teams are (usually) willing partners in doing better security, more efficiently and earlier in the process. We want you to help us scale out and represent ourselves for the wider engineering domains.
Tesco has fully embraced devops and agile methodologies to develop our enterprise APIs, services and cloud capabilities. Our 100+ delivery teams have loads of Docker, Kubernetes and microservices galore across Azure and AWS, so our security approach must work with elastic, here today, gone tomorrow infrastructure. Our security approaches should be event- driven, real-time and effective. Weekly scans are so 2010.

The role
As a Security Engineer II, you will closely work with the Partners in the team to drive and execute security initiatives for one or more engineering teams. To do this, you’re good at secure design and secure coding principles. And you are versatile to learn multiple development environments (frameworks, languages and tools), and take up new challenges.
Developing strong security partnerships for Tesco Technology
Security partnerships are about transforming the way security is delivered within our technology domains and software engineering teams. We have different security challenges, and your role as a security partner is to actively champion positive security change within your product teams.

Job accountabilities

On a day-to-day basis you will
• Build a good understanding of the product area, and able to develop or assess security or privacy controls.
• Demonstrate how weaknesses in design or code can be exploited through POCs.
• Assist partnerships with security initiatives, be ready to hit the ground and perform.

Assist/support product teams to deliver new business features securely, while balancing and clearly articulating technical risks.
• Assist/support adoption of security capabilities into the engineering teams and product domains.
• Ready to review designs, code, pipelines, setups, configs for verification.
• Good understanding of security by design, security by default.
• Be ready to code. If you can raise a PR (pull request) to fix a security issue, do so.
• Or, develop a security control or test as suitable for the nature of the product.
• Scope security pentests and assist product teams in scheduling.
• Be an advocate for good security, take part in strengthening our internal standards and guidelines.
• Good interpersonal skills along with effective communication (both written and verbal) skills.
Longer-term, the nature of the role also means you are expected to identify new problem spaces, propose fixes, engage across disciplines. In other words, we want you to innovate and will give you the room to do so. If you can think of ways to do security, faster, more accurately, with greater consistency and at scale while minimising friction, you will be supported all the way.

You will need
To excel in this position, we expect you to have the following:
• 8+ years of work experience with a bachelor’s degree or at least 4 years of work experience with an master degree in related areas.
• Programming background with Java, JavaScript or .Net. Familiarity with popular frameworks, SDKs and tools.
• Proficient at secure design and coding and can audit as required.
• Experience with scripting using python, bash or PowerShell.
• Exposure to micro-service style architecture, distributed computing, Linux operating
system, REST APIs, modern application frameworks, container based development and deployments.
• Good understanding of software security and dev(sec)ops, the shift-left culture.
• Good understanding of OWASP Top-10, Top 25 CWEs, open source security, data security.
• Good understanding of security & privacy patterns, security standards and RFCs.
• Working experience with public cloud (Azure/AWS/GCP) and their popular services.
• General security principles, privacy principles, industry standards such as NIST and CIS benchmarks.
• Hands-on experience with threat models and attack trees is a plus.
If you’ve got AWS or Azure certifications, great! If you have only one, we’ll train you on everything else. If you have neither, that’s a more challenging conversation, but may not be a show-stopper if you stand out in other areas.