Application Security Engineer

Company Description

We are champions of rail, inspired to build a greener, more sustainable future of travel. Our purpose is our momentum. It makes us feel good because we know we’re doing good. As we lead the way to a greener future, we do it together. We’re all about connections - with each other, with our customers and with the world. Just as our platform brings the world together, it’s our ambition that connects us. We motivate each other to go beyond our limits, to experiment, to fail and to always grow.

With over 110 million visits every month to our platform and £4.3 billion in net ticket sales, we're always innovating and making moves towards our final destination — a world where travel is as simple, seamless, and affordable as it should be.

And we couldn't do any of it without our incredible people driving us forward. Today, we're a FTSE 250 company that's proudly home to more than 1000 Trainliners from over 60 nationalities across offices in London, Paris, Barcelona, Milan, Edinburgh, Berlin, Madrid and Brussels. It's this diversity that energises us and makes us stronger, helping us to achieve amazing things.

With our sights firmly set on further European growth, there is no better time to jump on board this high-speed train and be part of our continued success.

Great journeys start with Trainline.

Job Description

Introducing the Security Team 👋  

The security team works closely with Engineering, Product and Operations teams to build security into applications and support processes. We provide assurance to the application lifecycle in various areas, including; design reviews, supporting automated and manual code review, performing targeted application vulnerability assessments and creating security products. 

We are responsible for the security of all channels which collectively bring in over £3.2 billion in ticket sales every year. That means at peak times over 300 people per minute are booking Trains. 

As am Application Security Engineer, you'll join a team of Security Engineers working to reduce risk across the company. We provide security expertise during each phase of the SDLC and take a leading role in driving security initiatives. We identify recurring classes of security issues, find the root cause, and develop solutions to reduce the occurrence of application vulnerabilities at scale. We strive to promote and teach security to engineers.  

As an Application Security Engineer at Trainline, you will... 🚄 

• Join a highly innovative team that ensures the ongoing security of multichannel operations 
• Be responsible for driving security improvement from design through delivery and into operations. 
• Take the lead on finding technical solutions - drawing on your previous knowledge, self-learning and formal training 
• Be responsible for helping to implement, maintain and administer security toolsets used in the software development process 
• Helping to embed security in the development and operational lifecycle, and showing continued security value by presenting risk from the customer and business perspective 
• Assisting with the development of training and awareness programmes to enhance the understanding of secure coding and deployment practices across the organization. 
• Collaborating with the development, platform, and product teams to create threat models, identifying potential security threats, and implementing countermeasures. 
• Static and dynamic security testing including code review and manual penetration testing 
• Act as security evangelist and ‘mentor’ to the business and development teams 
• Collaborate with the Engineering teams and other infrastructure teams to detect, analyse, understand, mitigate, and permanently fix vulnerabilities 
• Provide sufficient tools, practices, and guidance so that engineers can autonomously improve security of Trainline environments and ensure security of the services 
• Create and maintain documentation and metrics relating to application security including reports, runbooks, dashboards and KRIs. 

Qualifications

We'd love to hear from you if you have... 🔍    

The ideal individual has both application security expertise and development experience. They have in-depth knowledge of application security and can identify potential risks in designs, code, or in deployed applications. They should also have experience with threat modelling, security reviews, pen-testing and providing security guidance to development teams. They recognize the importance of building security solutions that scale both technically and organisationally and adapt to changing business requirements. They enjoy promoting security by giving talks, writing, or hosting educational sessions for developers. 

• Experience working with external pen testers and/or acting as a primary contact for their testing 
• Experience in managing application security testing tools like SAST, DAST and Vulnerability Scanning 
• Knowledge of any Programming Language (we use C#.NET & Javascript)
• Experience working with and securing scalable environments using containerisation technologies, infrastructure as code and cloud native databases 
• Solid and demonstrable comprehension of cyber and information security including secure coding, security in the SDLC and the evolving threat landscape  
• Well versed with driving and implementing secure development practices in to SDLC (SSDLC); ability to successfully integrate security into a developer’s world 
• Experience with threat modelling 
• Working knowledge of infrastructure security scanning  
• Working knowledge of secure development practices such as OWASP and BSIMM 
• Knowledge of current information security standards and regulations such as PCI DSS, ISO27000 series, and GDPR. 
• Built dashboards or worked with data to improve security and decision making 

Additional Information

Why should you jump on board?

We pay special attention to learning and development and organise quarterly company learning days as well as offering a learning budget that can be put towards resources of your choice. We will cover the costs of your professional subscriptions and give you access to our very own learning platform.

At Trainline, we care about the wellness of our employees. We host puppy therapy sessions, in-office yoga and run Mental Health First Aider training courses as well as having an Employee Assistance Program as one of our many company benefits.

We regularly throw fun social events such pub quizzes, karaoke nights and our large-scale Summer and Winter Festivals every year. Additionally, we love hosting meetups in our amazing event spaces and having the opportunity to support internal and external community groups.

We also hold companywide hackathons and our annual Trainline Tech Summit, which provides Trainliners with an opportunity to stand up and share their story, learnings, or new skills with their colleagues in a safe environment.

Our flexi-first approach

We believe in the importance of a healthy work-life balance and the value of a flexible workforce. Our flexi-first approach outlines our commitment to a hybrid way of working and our expectations of Trainliners. A key part of what makes Trainline special is our people and the value we get from the buzz and energy of our workplaces, and that’s why we’re proud to offer the best of both worlds. In practice this means in–office attendance at least 40% of the time over a 12-week period for all Trainliners. These in-office days are typically team led to help us connect, collaborate and create together.

Our Values 

• Think Big - We're building the future of rail 
• Own It - We care about every customer, partner and journey 
• Do Good - We make a positive impact 
• Travel Together - We're one team 

Interested in finding out more about what it's like to work at Trainline? Why not check out what our employees say about us on Glassdoor? You can also find out more information by following us on LinkedIn or our 'Life at Trainline' Instagram account.  

We value open expression at Trainline, we believe it’s the diversity of experience, backgrounds and perspectives of our employees that makes us who we are. We encourage everybody to play a part in changing the way people travel across the world.