Fire & Security Engineer

BBC EXTEND This role is advertised as part of our BBC Extend programme for disabled people. To apply for this role you should identify as deaf, disabled or neurodivergent and must meet either the definition of disability in the Equality Act (2010), or the definition of disability in the Disability Discrimination Act (1995) if applying in Northern Ireland. You are broadly defined as disabled under both acts if you have a physical or mental impairment that has a substantial and long‑term negative or adverse effect on your ability to do normal daily activities. We are committed to making the process of applying for this role as accessible as possible, and have a dedicated BBC Access and Disability Service to provide assessments and support throughout employment.

Work where security meets usability. In DevX and Tooling you’ll ship guardrails that developers adopt, prove impact with real usage data, and collaborate with peers who value clear thinking over theatre. You’ll have autonomy, tight feedback loops and the chance to raise the security bar across hundreds of teams.

• Operate GitHub Advanced Security at scale – CodeQL code scanning, secret scanning and push protection with sensible policies and triage flows.
• Own Dependabot strategy – safe update policies, grouping/auto‑merge where appropriate, PR hygiene and actionable alerting.
• Integrate security automation into CI/CD – gating checks in GitHub Actions or equivalents with auditable exceptions.
• Build reusable secure templates, libraries and policy‑as‑code guardrails for services, pipelines and infrastructure as code.
• Support threat modelling and design reviews; translate outcomes into repeatable checks and templates.
• Contribute to DevX tools and services with high‑quality code, tests, docs and reviews; instrument controls to surface useful signals.
• Integrate with monitoring and incident tooling; participate in incident response for DevX services when required.

• IaC and cloud hardening – Terraform/CloudFormation security, policy‑as‑code and secure defaults for IAM, networking and secrets.
• SLSA or similar supply‑chain frameworks – build system hardening and release hygiene.
• AI‑assisted developer tooling (e.g. GitHub Copilot, code assistants/agents) – understand risks such as prompt injection and data exfiltration, and design guardrails, policies and CI/CD checks.
• Developer‑centred security UX – paved roads, reusable templates and docs that reduce friction and false positives.
• Incident response for developer tooling – runbooks, tabletop exercises and security‑focused post‑incident reviews.

Role: Security Systems Engineer. Salary: £40,000 + Bonus + On Call + Private Health. Location: Central London (5 days per week – travel costs will be spent by the employee).