Security Engineer - (EXTEND)

Join DevX and Tooling to make Developer Experience safer and faster. You'll build secure-by-default tooling, templates and pipeline checks that fit engineers' day-to-day, run key GitHub security capabilities at scale, and surface meaningful signals that show impact. Your work reduces friction while strengthening the BBC's Secure SDLC.

• Operate GitHub Advanced Security at scale - CodeQL code scanning, secret scanning and push protection with sensible policies and triage flows.
• Own Dependabot strategy - safe update policies, grouping/auto-merge where appropriate, PR hygiene and actionable alerting.
• Integrate security automation into CI/CD - gating checks in GitHub Actions or equivalents with auditable exceptions.
• Build reusable secure templates, libraries and policy-as-code guardrails for services, pipelines and Infrastructure as Code.
• Support threat modelling and design reviews; translate outcomes into repeatable checks and templates.
• Contribute to DevX tools and services with high-quality code, tests, docs and reviews; instrument controls to surface useful signals.
• Integrate with monitoring and incident tooling; participate in incident response for DevX services when required. GitHub Advanced Security at scale - administer CodeQL, secret scanning and push protection; set org/repo policies and triage workflows developers will use.
• Dependabot expertise - design update and alerting strategy to keep dependencies fresh without churn.
• CI/CD security automation - integrate and tune gating checks; manage exceptions with auditability.
• Software supply chain security - SBOM generation/verification, artefact signing and provenance; pragmatic CVE triage.
• Secure coding in at least two of Node.js, Python, Java, with rigorous reviews focused on auth, input handling and error handling; produce reusable secure templates.
• Hands on Experience building, deploying and running solutions on AWS.

• IaC and cloud hardening - Terraform/CloudFormation security, policy-as-code and secure defaults for IAM, networking and secrets.
• SLSA or similar supply-chain frameworks; build system hardening and release hygiene.
• AI-assisted developer tooling (e.g. GitHub Copilot, code assistants/agents) - understand risks like prompt injection, data exfiltration and insecure suggestions; design guardrails, policies and CI/CD checks.
• Developer-centred security UX - paved roads, reusable templates and docs that reduce friction and false positives.
• Incident response for developer tooling - runbooks, tabletop exercises and security-focused post-incident reviews.