Build the future you want

Join the companies disrupting their industries

Application Security Engineer



United Kingdom
Posted on Thursday, May 23, 2024

Who are Tyk, and what do we do?
The Tyk API Management platform is helping to drive the connected world and power new products and services. We’re changing the way that organisations connect any number of their systems and services. Whether internal, external, public or highly encrypted systems, Tyk helps businesses drive value across the retail, finance, telecoms, healthcare, or media industries (to name just a few!)

If you’ve banked online, used an app to check the news, or perhaps even driven a connected car, API’s, and by extension, Tyk, make that possible. Founded in 2015 with offices in London - UK, London - Ontario, Atlanta and Singapore, we have many thousands of users of our B2B platform across the globe. Brands using Tyk range from Lotte, Bell, T Mobile, to RBS, Capital One and Vinci. We have a varied user base hailing from every continent – even Antarctica.

Our Mission

Tyk is on a mission to connect every system in the world. We’ve started by building an API Management platform.

Total flexibility, default remote, radical responsibility

We offer unlimited paid holidays and remote working from anywhere in the world, for everyone, Why? Tyk was founded on the principle of offering flexibility and autonomy to our employees, we believe this allows our employees to achieve their best results. It also means we can build the best possible team, location and working hours are no barrier.

If this sounds like an environment that you believe could work for you then read on to find out more.

The role:

We’re looking for an Application Security Engineer to be responsible for ensuring security from cyber threats and vulnerabilities as well as collaborate with software developers and IT teams to integrate security protocols into the development process and conduct regular security audits to assess and improve the overall security posture of the applications.

Here’s what you’ll be getting up to:

  • Review our current approach to security within the software development lifecycle (SDLC), and building a situation assessment and / or opportunity canvas which allows us to shift left on security
  • Build clear and compelling security strategies which reduce our post-launch exposure and our post-launch security rework
  • Builda clear set of product security metrics which are used to both provide a health baseline and to demonstrate improvement over time
  • Create a best practice policy to ensure security by design, and working with product teams to embed these processes and measure their impact
  • Maintain security risk and issue logs for products with the express aim of mitigating security risks before they become issues
  • Design and communicate best practice processes and tooling, such as threat modelling and horizon scanning, which allow the product teams to ensure we are identifying risks and have clear plans to mitigate them
  • Build a roadmap of vendor upgrades which we need to effect to keep secure, and ensure these are fed into the relevant product domains
  • I am creating and maintaining a vulnerability register, and working with product teams to remedy these
  • Advise on scanning techniques and tooling (such as OWASP, licensing) which allow us to find and remedy vulnerabilities ahead of code merge
  • Work with Operations teams to provide data and answers to support ongoing compliance initiatives, such as SOC2 and ISO
  • Respond and update publicly to any of our responsible disclosure programs (Zerocopter, CVEs etc) to ensure Tyk is seen as responsive and responsible
  • Assist the QA team with the pen test process, designing pen test scope, transferring results to vulnerability registers, and ensuring product team assessment and resolution of vulnerabilities
  • Optimise existing tooling (SonarCloud / Dependabot) and introducing new tooling where appropriate to reduce risk, then work with the product teams for easy adoption
  • Run the post mortem process when required for high impact security issues which slip into production, and ensure root cause actions so it never reoccurs
  • Assist post and pre sales functions with security queries, or closing gaps identified by customers and prospects