The Role:
This is an amazing opportunity to work with Markets Information Security Team at ION. As a Product Security Engineer, you would be the key enabler of secure and compliant products. This role reports to the Product Security Lead and partners closely with engineering and product teams to increase the overall product security posture. You will own and scale product/application security by embedding security into the Secure SDLC, automating controls in CI/CD, and driving measurable risk reduction. The role is hands-on: you will perform security-focused code review and targeted testing, strengthen API security, implement supply chain security (SCA/SBOM) practices, and run an efficient vulnerability lifecycle with clear SLAs and metrics.
Key Responsibilities:
Secure SDLC Ownership: Help to define lightweight, measurable SSDLC (requirements, design checks, guidance, release criteria); establish “paved roads” (reference architectures, secure templates, approved libs/patterns).
CI/CD Security Automation (Shift‑left): Own AppSec toolchain/pipelines (SAST, DAST, SCA, secrets, IaC/container); integrate risk‑based gating with clear developer feedback; tune rules, cut false positives, and standardize triage (tickets, auto‑routing, SLAs).
Code Review & Secure Engineering Support: Perform security code reviews for critical areas (authn/authz, sessions, crypto, data protection, input validation, business logic); provide remediation guidance, secure patterns, and concise code/design examples.
API & Service Security: Lead API security (OAuth/OIDC, token handling, rate limiting, schema validation, anti‑abuse, secure errors, logging/monitoring); drive API testing (contracts + targeted DAST); partner on service‑to‑service security.
Secure Design Reviews & Threat Modeling: Run pragmatic threat modelling/design reviews for new features and changes; produce actionable outputs (mitigations, backlog, acceptance criteria, test cases); maintain requirements for identity, sensitive data, and privacy‑by‑design.
Supply Chain Security (SCA/SBOM): Manage dependency risk (triage, upgrade strategies, deprecations, guardrails); establish SBOM generation/use and provide evidence for assurance; assess third‑party components/SDKs and provenance/attestation risks.
Vulnerability Lifecycle, SLAs & Metrics: Run intake/triage across tools, pen tests, VDP/bug bounty, and internal findings; define remediation SLAs by severity/exploitability and asset criticality, manage exceptions and verify fixes; report meaningful metrics (MTTD, MTTF, reopen rate, recurring classes, coverage, control effectiveness).
Hands‑on Testing (Targeted & Risk‑Based): Execute focused testing on high‑risk areas (web, APIs, mobile/auth flows) to validate exploitability; coordinate third‑party testing and ensure findings translate into prioritized engineering outcomes.
Required Skills, Qualifications and Experience:
Skills in:
6+ years in Product Security / Application Security, with demonstrable engineering-facing delivery.
Strong understanding of OWASP (Web + API risks) and modern attack paths (authz flaws, SSRF, injection, deserialization, business logic abuse, supply chain).
Hands-on experience integrating security into CI/CD (SAST/DAST/SCA/secrets), triaging findings, and enabling developer remediation.
Comfortable reading/reviewing code in at least one backend language (e.g., Java, C++, Go, Python, Node.js) and common web stacks.
Solid grasp of cloud-native delivery practices: microservices, containers, CI/CD, IaC fundamentals, observability, and logging.
Strong communication skills: able to translate risk into clear engineering actions and influence outcomes.
Nice to Have
Threat modeling experience (STRIDE or similar) with real production outcomes.
Fintech or regulated-environment experience in translating obligations into product controls (e.g., PCI, GDPR/DORA concepts).
Bug bounty/VDP experience (triage, validation, reporter comms process).
Certifications: OSWE/OSCP/GPEN/GXPN, cloud certifications, or secure software development certifications.
Ability to:
Effectively communicate technical issues to diverse audiences, both in writing and verbally.
Handle sensitive and confidential matters, situations, and data.
Understand and follow broad and complex instructions.
Comprehend technical language and to confer, analyse and write in an objective, lucid manner.
Work independently and prioritize multiple tasks and adapt to needed changes.
Remain calm under high pressure/difficult situations.
Preferred Certifications:
OSWE/OSCP/GPEN/GXPN, cloud certifications, or secure software development certifications.
About us:
We’re a diverse group of visionary innovators who provide trading and workflow automation software, high-value analytics, and strategic consulting to corporations, central banks, financial institutions, and governments. Founded in 1999, we’ve achieved tremendous growth by bringing together some of the best and most successful financial technology companies in the world.
• Over 2,000 of the world’s leading corporations, including 50% of the Fortune 500 and 30% of the world’s central banks, trust ION solutions to manage their cash, in-house banking, commodity supply chain, trading and risk.
• Over 800 of the world’s leading banks and broker-dealers use our electronic trading platforms to operate the world’s financial market infrastructure.
ION is a rapidly expanding and dynamic group with 13,000 employees and offices in more than 40 cities around the globe. Our ever-expanding global footprint, cutting edge products, and over 40,000 customers worldwide provide an unparalleled career experience for those who share our vision.
ION is committed to maintaining a supportive and inclusive environment for people with diverse backgrounds and experiences. We respect the varied identities, abilities, cultures, and traditions of the individuals who comprise our organization and recognize the value that different backgrounds and points of view bring to our business.
ION adheres to an equal employment opportunity policy that prohibits discriminatory practices or harassment against applicants or employees based on any legally impermissible factor.
