Lead Application Security Engineer
Lead Application Security Engineer
Location: National*
Closing Date: 2nd May 2025
Interviews: w/c 12th May
Grade: Grade 7
(MoJ candidates who are on a specialist grade, will be able to retain this grade on lateral transfer)
Salary: London: £61,201 - £78,225 (which may include an allowance of up to £17,024)
National: £56,532 - £73,450 (which may include an allowance of up to £16,918)
Working pattern: Full-time/Part-time/Flexible working
Contract Type: Permanent
Vacancy number: 5151
*We offer a hybrid working model, allowing for a balance between remote work and time spent in your local office. Office locations can be found ON THIS MAP.
The Role
We're recruiting for a Lead Application Security Engineer here at Justice Digital, to be part of our warm and collaborative Platforms and Architecture Cyber team.
This role aligns against Senior Security Architect role from the Government Digital and Data Framework.
The cyber security of the digital services of the Ministry of Justice is vital to ensuring both trust in the justice system, as well as meeting our legal obligations to protect sensitive information. The potential of a successful cyber attack is a departmental risk, and the allocation of effective and skilled effort to help reduce the risk is part of the mitigation presented to MoJ.
Part of achieving this requirement is through the delivery of Application Security (AppSec). Working in partnership with the development teams, AppSec work improves and scales up security activities, helping teams design, build and automate security into their solutions, and finding new ways to reduce risk scores.
Providing this operational security improvement is a vital part of our collective work to mitigate existing security deficiencies in legacy and digital services, and to embed more effective security in our services for the future.
To help picture your life at MoJ Justice Digital please take a look at our blog and our Digital and Technology strategy 2025.
Key Responsibilities:
You will be leading a small number of other AppSec Engineers, providing expert hands-on cyber security support to our development teams across the MoJ Justice Digital estate. You will be working to find better ways to defend and protect the development pipeline by building automation into processes and building in AWS and Azure native safeguards, where appropriate.
You will be working alongside cyber security consultants, and alerting them to areas of increased risk and new processes and techniques.
What you'll be doing:
- Designing, developing and automating security tools and techniques to implement a secure software development lifecycle (SDLC), providing continuous assurance that systems are protected against common threats.
- Implementing consistent DevSecOps best practices for the MoJ organisation.
- Supporting and participating in workshops to raise awareness of security vulnerabilities and mitigations available to teams.
- Help to address product security requirements by deploying homegrown and open source tools.
- Coordinating with developers and product management to ensure these tools are fit for purpose.
- Driving improvements in teams that ultimately improve outcomes in Secure by Design.
- Collaborating with internal and external DevOps Teams to advocate software security practices and with Cloud Security and Security Architects in maintaining/extending Cloud Security patterns and use cases.
- Communicating security findings to stakeholders in a clear and actionable fashion, focusing on real-world impact and with pragmatic options for resolution.
- Maintaining good practice around code repo's (like Github), identifying and remediating weaknesses in Open Source libraries.
- Working closely with platform teams to build centralised security reporting dashboards that provide security assurance across our applications.
- Supporting threat modelling and security design reviews with engineering teams, providing subject matter expertise in resolving complex security problems.
- Critiquing mitigations suggested from development teams on security issues.
- Build the profile of the cyber security team through positive stakeholder interactions.
- Utilise AppSec testing to build security confidence in products and services.
Benefits
- 37 hours per week and flexible working options including working from home, working part-time, job sharing, or working compressed hours.
- A £1k per person learning budget is in place to support all our people, with access to best in class conferences and seminars, accreditation with professional bodies, fully funded vocational programmes and e-learning platforms.
- Staff have 10% time to dedicate to develop & grow.
- Generous civil service pension based on defined benefit scheme, with employer contributions of 28.97% from April 1st 2024 (Contribution Rates).
- 25 days leave (plus bank holidays) and 1 privilege day usually taken around the Kings' birthday. 5 additional days of leave once you have reached 5 years of service.
- Compassionate maternity, adoption, and shared parental leave policies, with up to 26 weeks leave at full pay, 13 weeks with partial pay, and 13 weeks further leave. And maternity support/paternity leave at full pay for 2 weeks, too!
- Wellbeing support including access to the Calm app.
- Bike loans up to £2500 and secure bike parking (subject to availability and location).
- Season ticket loans, childcare vouchers and eye-care vouchers.
- 5 days volunteering paid leave.
- Free membership to BCS, the Chartered Institute for IT.
- Some offices may have a subsidised onsite Gym.
Essential
- You have successfully established relationships with development teams based on collaboration, emotional intelligence, and pursuit of excellence.
- You have experience of deploying techniques like SCA, SAST, DAST, IaC etc to the development pipeline.
- You have knowledge of lightweight Threat Modelling techniques.
- You have hands-on experience with CI/CD tools like Jenkins, Github Actions and CircleCI.
- Understand how to secure public facing endpoints and APIs.
- You have experience of modern development practices, cloud and container technologies such as Docker and Kubernetes.
- Familiarity with microservice architecture and networking.
- Ability to effectively present and communicate security threats and risks to any audience and impress upon them the mitigation techniques and strategies.
- Excellent knowledge of frameworks such as OWASP, MITRE, Cyber Killchain.
- You have experience with implementing secure software lifecycle practices within an agile engineering organisation.
- You have an ability to create a positive security culture in development teams.
Willingness to be assessed against the requirements for SC clearance.
The Civil Service is committed to attract, retain and invest in talent wherever it is found. To learn more please see the Civil Service People Plan and the Civil Service D&I Strategy.
How to Apply
Candidates must submit CV and Cover Letter (500 words max), which describes how you meet the requirements set out in the Person Specification above.
In Justice Digital, we recruit using a combination of the Government Digital and Data Profession Capability and Success Profiles Frameworks. We will assess your Experience, Technical Skills and the following Behaviours during the assessment process:
- Communicating and Influencing
A diverse panel will review your application against the Person Specification above.
Successful candidates who meet the required standard will then be invited to a 1-hour/90 minute panel interview, which may include a task, held via video conference.
Should we receive a high volume of applications, a pre-sift based on "You have an ability to create a positive security culture in development teams" will be conducted before the sift. The panel will be conducting a sift on the following criteria from the Person Specification above:
- You have experience of deploying techniques like SCA, SAST, DAST, IaC etc to the development pipeline.
- You have experience of modern development practices, cloud (AWS/ Azure) and container technologies such as Docker and Kubernetes.
- Excellent knowledge of frameworks such as OWASP, MITRE, Cyber Killchain.
Candidates who do not demonstrate examples/details of their experience of the requirements stated under the Person Specification above in their Cover Letter will be rejected on this basis.
Should you be unsuccessful in the role that you have applied for but demonstrate the capability for a role at a lower level, we reserve the right to discuss this opportunity with you and offer you the position without needing a further application.
A reserve list may be held for up to 12 months, from which further appointments may be made.
Terms & Conditions
Please review our Terms & Conditions which set out how we recruit and provide further information related to the role and salary arrangements.
If you have any questions, please feel free to contact recruitment@digital.justice.gov.uk
'/%3e%3cpath%20d='M101.744%2012.4726L102.894%2016.1947L99.0021%2013.2201L101.744%2012.4726ZM105.3%208.40937H100.488L99.0026%203.59473L97.5116%208.41047L92.7%208.40385L96.5965%2011.3834L95.1055%2016.1942L99.0021%2013.2196L101.408%2011.3834L105.3%208.40992V8.40937Z'%20fill='white'/%3e%3cdefs%3e%3clinearGradient%20id='paint0_linear_5593_1381'%20x1='90'%20y1='9.44471'%20x2='99'%20y2='9.44471'%20gradientUnits='userSpaceOnUse'%3e%3cstop%20stop-color='%2300AD70'/%3e%3cstop%20offset='0.998594'%20stop-color='%2300B67A'/%3e%3cstop%20offset='1'%20stop-color='%23DCDCE6'/%3e%3c/linearGradient%3e%3c/defs%3e%3c/svg%3e){kind=small}
job faster
