Security Engineer - (EXTEND)

Job Closing Date: 05/11/2025

JOB BAND: C
CONTRACT TYPE: Permanent, Full-time
DEPARTMENT: Product Group - Enablement - Engineering Enablement
LOCATION: London, Cardiff, Salford, Newcastle, Glasgow - Hybrid
PROPOSED SALARY RANGE: 50,000-55,000

This role is advertised as part of our BBC Extend programme for disabled people. To apply for this role you should identify as deaf, disabled or neurodivergent and must meet either the definition of disability in the Equality Act (2010), or the definition of disability in the Disability Discrimination Act (1995) if applying in Northern Ireland. You are broadly defined as disabled under both acts if you have a physical or mental impairment that has a substantial and long‑term negative or adverse effect on your ability to do normal daily activities. This definition includes both apparent and non‑apparent conditions and impairments, and medical conditions such as Cancer, HIV or Multiple Sclerosis.
We are committed to making the process of applying for this role as accessible as possible. If you need to discuss adjustments or access requirements for the application process, or have any questions about our Extend programme, please contact extend@bbc.co.uk.
The BBC are fully committed to providing workplace adjustments to help eliminate barriers in the workplace that disabled people face. To do this, we have our own dedicated BBC Access and Disability Service that provides assessments and support throughout employment with us. If you are successful in applying for this role and require workplace adjustments, we will work with you to get your adjustments in place.
If you'd like more information on BBC Extend, please visit the BBC Extend webpage. EX2324

Join DevX and Tooling to make Developer Experience safer and faster. You’ll build secure‑by‑default tooling, templates and pipeline checks that fit engineers’ day‑to‑day, run key GitHub security capabilities at scale, and surface meaningful signals that show impact. Your work reduces friction while strengthening the BBC’s Secure SDLC.

Work where security meets usability. In DevX and Tooling you’ll ship guardrails that developers adopt, prove impact with real usage data, and collaborate with peers who value clear thinking over theatre. You’ll have autonomy, tight feedback loops and the chance to raise the security bar across hundreds of teams.

• Operate GitHub Advanced Security at scale – CodeQL code scanning, secret scanning and push protection with sensible policies and triage flows.
• Own Dependabot strategy – safe update policies, grouping/auto‑merge where appropriate, PR hygiene and actionable alerting.
• Integrate security automation into CI/CD – gating checks in GitHub Actions or equivalents with auditable exceptions.
• Build reusable secure templates, libraries and policy‑as‑code guardrails for services, pipelines and Infrastructure as Code.
• Support threat modelling and design reviews; translate outcomes into repeatable checks and templates.
• Contribute to DevX tools and services with high‑quality code, tests, docs and reviews; instrument controls to surface useful signals.
• Integrate with monitoring and incident tooling; participate in incident response for DevX services when required.

• GitHub Advanced Security at scale – administer CodeQL, secret scanning and push protection; set org/repo policies and triage workflows developers will use.
• Dependabot expertise – design update and alerting strategy to keep dependencies fresh without churn.
• CI/CD security automation – integrate and tune gating checks; manage exceptions with auditability.
• Software supply chain security – SBOM generation/verification, artefact signing and provenance; pragmatic CVE triage.
• Secure coding in at least two of Node.js, Python, Java, with rigorous reviews focused on auth, input handling and error handling; produce reusable secure templates.
• Hands on Experience building, deploying and running solutions on AWS.

• IaC and cloud hardening – Terraform/CloudFormation security, policy‑as‑code and secure defaults for IAM, networking and secrets.
• SLSA or similar supply‑chain frameworks; build system hardening and release hygiene.
• AI‑assisted developer tooling (e.g. GitHub Copilot, code assistants/agents) – understand risks like prompt injection, data exfiltration and insecure suggestions; design guardrails, policies and CI/CD checks.
• Developer‑centred security UX – paved roads, reusable templates and docs that reduce friction and false positives.
• Incident response for developer tooling – runbooks, tabletop exercises and security‑focused post‑incident reviews.

If you can bring some of these skills and experience, along with transferable strengths, we’d love to hear from you and encourage you to apply.

Before your start date, you may need to disclose any unspent convictions or police charges, in line with our Contracts of Employment policy. This allows us to discuss any support you may need and assess any risks. Failure to disclose may result in the withdrawal of your offer.

This job description is a written statement of the essential characteristics of the job, with its principal accountabilities, incorporating a note of the skills, knowledge and experience required for a satisfactory level of performance. This is not intended to be a complete, detailed account of all aspects of the duties involved.

FOLLOW US ON SOCIAL MEDIA