Senior Product Security Engineer

Overview:

The Senior Product Security Engineer will lead efforts to secure the Harness software by embedding security into every stage of the development lifecycle. This role involves vulnerability management, internal adoption of cutting-edge security solutions, and enabling teams to shift left on security while safeguarding the software supply chain.

Key Responsibilities

• Lead identification, triage, and remediation of vulnerabilities across the Harness platform and modules, partnering with engineering teams to establish SLAs and track progress.
• Collaborate with engineers to perform threat modeling for new and existing features, identifying risks early and providing actionable recommendations.
• Promote and implement Harness STO and SCS modules internally to demonstrate security best practices and drive adoption.
• Develop and integrate security controls and checks into CI/CD workflows to detect issues before deployment.
• Establish robust processes for software supply chain security, including dependency management and artifact integrity verification using SLSA
• Stay updated on emerging threats targeting software supply chains and adjust strategies proactively.
• Plan and execute periodic penetration tests to uncover vulnerabilities and validate security controls, working with internal teams and external testers.
• Leverage expertise in security scanners and tools (e.g., SAST, DAST, IAST, SCA) to ensure consistent testing and reporting.
• Evaluate and recommend security tools to align with organizational needs and improve testing coverage.
• Partner with engineering, platform, and DevOps teams to foster a security-first mindset through training and enablement.
• Support compliance initiatives by aligning product security practices with regulatory standards and maintaining audit documentation.

Qualifications

• Proven experience in product security, vulnerability management, and secure software development lifecycle practices.
• Hands-on expertise with security tools such as OWASP ZAP, Burp Suite, Checkmarx, SonarQube, or equivalent.
• Strong understanding of CI/CD processes, tools (e.g., Jenkins, GitHub Actions, Harness), and shift-left security approaches.
• Knowledge of secure coding practices, threat modeling methodologies, and supply chain security principles.
• Familiarity with different types of security testing SAST, DAST, IaC, SCA) and proficiency in evaluating scanning tools.
• Strong collaboration skills with engineering and DevOps teams to embed security practices effectively.
• Passion for fostering a security-first culture through enablement, training, and continuous improvement.
• Excellent communication skills to convey technical security concepts to diverse stakeholders.