Senior Application Security Engineer

Requirements

• Several years in application/product security or security engineering
• Strong knowledge of OWASP Top 10 (Web & API) and modern attack paths (e.g. auth flaws, SSRF, injection, business logic abuse, supply chain)
• Experience working with complex, large-scale systems and modern architectures
• Hands‑on security testing experience (especially Burp Suite) across web apps and APIs
• Python for security tooling, automation, or custom detection (Django a plus)
• Experience implementing and tuning SAST, SCA, DAST, and secret scanning in CI/CD
• Practical threat modelling experience, including leading lightweight sessions
• Strong collaboration skills, able to clearly explain issues and drive remediation
• Builder mindset, you automate wherever possible
• (Desirable) Experience with Django, Vue.js, MongoDB, GCP
• (Desirable) Security champions or bug bounty programmes
• (Desirable) Supply chain security (SCA, SBOMs, dependency review)
• (Desirable) IaC security (e.g. Terraform, policy‑as‑code)
• (Desirable) Hands‑on certifications (OSCP, GWAPT, BSCP)
• (Desirable) Experience in scaling environments building out security practices

What the job involves

• As a Senior Application Security Engineer, you'll be the technical authority on application security at Prolific
• You’ll work hands‑on with our engineering teams to find and fix vulnerabilities in our codebase, perform security testing, build security tooling, and embed secure development practices into how we ship software
• This isn't a governance or policy role, you'll be in the code, reviewing pull requests, threat modelling new features, and building the automation that keeps our platform secure as we scale
• You’ll report to the Head of Engineering/Platform and work cross‑functionally with product engineering, platform, data, and TechOps teams
• You’ll help secure Prolific’s applications end‑to‑end, from hands‑on testing and code review to threat modelling and CI/CD security
• You’ll partner closely with engineers to identify and fix vulnerabilities, build and tune security tooling, and embed secure development practices across the SDLC
• This includes running penetration tests, improving detection coverage, and staying ahead of emerging threats to continuously strengthen our security posture