Lead Application Security Engineer

Social network you want to login/join with:

Justice Digital

nationwide, uk, United Kingdom

-

Yes

3234fad332a5

3

18.04.2025

02.06.2025

Lead Application Security Engineer

Location: National*

Closing Date: 2nd May 2025

Interviews: w/c 12th May

Grade: Grade 7

(MoJ candidates who are on a specialist grade, will be able to retain this grade on lateral transfer)

Salary: London: £61,201 - £78,225 (which may include an allowance of up to £17,024)

National: £56,532 - £73,450 (which may include an allowance of up to £16,918)

Contract Type: Permanent

Vacancy number: 5151

*We offer a hybrid working model, allowing for a balance between remote work and time spent in your local office.

We’re recruiting for a Lead Application Security Engineer here at Justice Digital, to be part of our warm and collaborative Platforms and Architecture Cyber team.

This role aligns against Senior Security Architect role from the Government Digital and Data Framework.

The cyber security of the digital services of the Ministry of Justice is vital to ensuring both trust in the justice system, as well as meeting our legal obligations, to protect sensitive information. The potential of a successful cyber attack is a departmental risk, and the allocation of effective and skilled effort to help reduce the risk is part of the mitigation presented to MoJ.

Part of achieving this requirement is through the delivery of Application Security (AppSec). Working in partnership with the development teams, AppSec work improves, and scales up security activities, helping teams design, build and automate security into their solutions, and finding new ways to reduce risk scores.

Providing this operational security improvement is a vital part of our collective work to mitigate existing security deficiencies in legacy and digital services, and to embed more effective security in our services for the future.

• You will be leading a small number of other AppSec Engineers, providing expert hands-on cyber security support to our development teams across the MoJ Justice Digital estate.
• You will be working to find better ways to defend and protect the development pipeline by building automation into processes and building in AWS and Azure native safeguards, where appropriate.
• You will be working alongside cyber security consultants, and alerting them to areas of increased risk and new processes and techniques.
• Designing, developing and automating security tools and techniques to implement a secure software development lifecycle (SDLC), providing continuous assurance that systems are protected against common threats.
• Implementing consistent DevSecOps best practices for the MoJ organisation.
• Supporting and participating in workshops to raise awareness of security vulnerabilities and mitigations available to teams.
• Help to address product security requirements by deploying homegrown and open source tools.
• Coordinating with developers and product management to ensure these tools are fit for purpose.
• Driving improvements in teams that ultimately improve outcomes in Secure by Design.
• Collaborating with internal and external DevOps Teams to advocate software security practices and with Cloud Security and Security Architects in maintaining/extending Cloud Security patterns and use cases.
• Communicating security findings to stakeholders in a clear and actionable fashion, focusing on real-world impact and with pragmatic options for resolution.
• Maintaining good practice around code repo's (like Github), identifying and remediating weaknesses in Open Source libraries.
• Working closely with platform teams to build centralised security reporting dashboards that provide security assurance across our applications.
• Supporting threat modelling and security design reviews with engineering teams, providing subject matter expertise in resolving complex security problems.
• Critiquing mitigations suggested from development teams on security issues.
• Build the profile of the cyber security team through positive stakeholder interactions.
• Utilise AppSec testing to build security confidence in products and services.

• You have successfully established relationships with development teams based on collaboration, emotional intelligence, and pursuit of excellence.
• You have experience of deploying techniques like SCA, SAST, DAST, IaC etc to the development pipeline.
• You have knowledge of lightweight Threat Modelling techniques.
• You have hands-on experience with CI/CD tools like Jenkins, Github Actions and CircleCI.
• Understand how to secure public facing endpoints and APIs.
• You have experience of modern development practices, cloud and container technologies such as Docker and Kubernetes.
• Familiarity with microservice architecture and networking.
• Ability to effectively present and communicate security threats and risks to any audience and impress upon them the mitigation techniques and strategies.
• Excellent knowledge of frameworks such as OWASP, MITRE, Cyber Killchain.
• You have experience with implementing secure software lifecycle practices within an agile engineering organisation.
• You have an ability to create a positive security culture in development teams.

Willingness to be assessed against the requirements for SC clearance.

Candidates must submit CV and Cover Letter (500 words max), which describes how you meet the requirements set out in the Person Specification above.

In Justice Digital, we recruit using a combination of the Government Digital and Data Profession Capability and Success Profiles Frameworks. We will assess your Experience, Technical Skills and the following Behaviours during the assessment process:

• Communicating and Influencing

A diverse panel will review your application against the Person Specification above.

Successful candidates who meet the required standard will then be invited to a 1-hour/90 minute panel interview, which may include a task, held via video conference.

Should we receive a high volume of applications, a pre-sift based on “You have an ability to create a positive security culture in development teams” will be conducted before the sift.

Candidates who do not demonstrate examples/details of their experience of the requirements stated under the Person Specification above in their Cover Letter will be rejected on this basis.

Should you be unsuccessful in the role that you have applied for but demonstrate the capability for a role at a lower level, we reserve the right to discuss this opportunity with you and offer you the position without needing a further application.

A reserve list may be held for up to 12 months, from which further appointments may be made.

Please review our Terms & Conditions which set out how we recruit and provide further information related to the role and salary arrangements.