Senior Product Security Engineer FullTime London

About us:

We are champions of rail, inspired to build a greener, more sustainable future of travel. Trainline enables millions of travellers to find and book the best value tickets across carriers, fares, and journey options through our highly rated mobile app, website, and B2B partner channels.

Great journeys start with Trainline

Now Europe’s number 1 downloaded rail app, with over 125 million monthly visits and £5.9 billion in annual ticket sales, we collaborate with 270+ rail and coach companies in over 40 countries. We want to create a world where travel is as simple, seamless, eco-friendly and affordable as it should be.

Today, we're a FTSE 250 company driven by our incredible team of over 1,000 Trainliners from 50+ nationalities, based across London, Paris, Barcelona, Milan, Edinburgh and Madrid. With our focus on growth in the UK and Europe, now is the perfect time to join us on this high-speed journey.

Introducing our Security team @ Trainline

We focus on designing, implementing, and monitoring security controls to ensure a robust security posture in a fast-evolving environment. As part of our mission to continuously improve and mature Trainline's security capabilities, we work in close collaboration with cross functional teams, including Cloud Engineering, SRE, Platform Engineering, and more, to integrate the latest technologies and best practices into our products.

You will play a important role in safeguarding all digital channels that collectively generate billions of pounds in annual ticket sales, ensuring that our systems stay secure, resilient, and innovative in the face of evolving threats.

As a Senior Product Security Engineer at Trainline, you will be responsible for...

Security in the Development Lifecycle:

• Drive the integration of security into every stage of the Software Development Lifecycle (SDLC).

• Design, implement, and manage security controls to ensure secure product design, development, and deployment.

Threat Analysis and Mitigation:

• Collaborate with cross-functional teams to perform threat modelling, identify security risks, and implement effective countermeasures.

• Proactively assess the security posture of applications through code reviews, manual penetration testing, and static/dynamic security testing (SAST/DAST).

Security Tooling and Automation:

• Implement and maintain security tools used in the development and deployment processes (e.g., scanning tools, vulnerability management systems, SAST, DAST, ASPM).

• Automate security processes to streamline secure development and operational workflows.

Incident Detection and Response:

• Work with engineering and platform teams to detect, analyse, and remediate vulnerabilities in systems and applications.

• Ensure vulnerabilities are mitigated effectively and implement permanent fixes to prevent reoccurrence.

Training and Security Advocacy:

• Develop and deliver training programs to enhance the organisation’s understanding of secure coding and deployment practices.

• Serve as a security mentor and advocate, fostering a culture of security awareness across engineering and business teams.

Compliance and Standards:

• Ensure product security practices align with relevant security frameworks and standards (e.g., OWASP, NIST, ISO 27001, GDPR, PCI DSS).

• Support regulatory compliance efforts and maintain evidence to meet audit requirements.

Collaboration and Communication:

• Function as the primary interface between security, development, and infrastructure teams, ensuring seamless collaboration on security initiatives.

• Provide clear documentation, reports, dashboards, and metrics to communicate application security status and progress.

Continuous Improvement:

• Stay up to date with emerging threats, vulnerabilities, and best practices in product security.

• Identify opportunities to enhance security processes and implement innovative solutions to improve resilience and efficiency.

We'd love to hear from you if you have...

Application Security Expertise:

• Deep understanding of identifying, assessing, and mitigating security risks in application designs, code, and deployed products.

• Experience managing and using security testing tools such as SAST, DAST, and vulnerability scanning solutions.

• Strong grasp of secure coding practices and proficiency in integrating security into the Software Development Lifecycle (SDLC).

Technical Knowledge and Implementation experience:

• Direct experience with threat modelling, security reviews, and penetration testing.

• Proven ability to secure cloud-native architectures, containerization technologies, and Infrastructure as Code (IaC) environments.

• Familiarity with industry standards and frameworks such as OWASP, BSIMM, PCI DSS, ISO 27001, and GDPR.

Security Integration experience:

• Demonstrated ability to seamlessly integrate secure development practices into SDLC/SSDLC workflows.

• Skilled in implementing technical security controls and driving security automation within CI/CD pipelines.

Risk Management and Compliance knowledge:

• Experience with identifying and managing security risks, including conducting risk assessments.

• Working knowledge of regulatory compliance standards and frameworks.

More information:

Enjoy fantastic perks like private healthcare & dental insurance, a generous work from abroad policy, 2-for-1 share purchase plans, an EV Scheme to further reduce carbon emissions, extra festive time off, and excellent family-friendly benefits.

We prioritise career growth with clear career paths, transparent pay bands, personal learning budgets, and regular learning days. Jump on board and supercharge your career from day one!

Our values represent the things that matter most to us and what we live and breathe everyday, in everything we do:

• Think Big - We're building the future of rail

• ️ Own It - We focus on every customer, partner and journey

• Travel Together - We're one team

• ️ Do Good - We make a positive impact

We know that having a diverse team makes us better and helps us succeed. And we mean all forms of diversity - gender, ethnicity, sexuality, disability, nationality and diversity of thought. That's why we're committed to creating inclusive places to work, where everyone belongs and differences are valued and celebrated.

Interested in finding out more about what it's like to work at Trainline? Why not check us out on LinkedIn, Instagram and Glassdoor!