Xero

Senior Security Engineer, AppSec

Xero

full-time

Posted on:

Origin:  • 🇳🇿 New Zealand

Visit company website
AI Apply
Manual Apply

Job Level

Senior

Tech Stack

CloudGoJavaJavaScriptJenkinsMicroservicesPythonSDLC

About the role

  • At Xero, we’re here to help you supercharge your business. We do this by automating routine tasks, surfacing actionable insights and connecting businesses with the right data, advisors and apps. Sitting within a newly formed Application Security team, this role will focus on secure software development, DevSecOps, security automation, and vulnerability management. Day to day, you'll work cross-functionally with engineering, product, and security teams to build and improve security tooling, secure coding practices, and automated security controls that empower developers to plan, write, test, and deploy secure applications efficiently. We're looking for somebody with a passion for security automation and security-as-code, who can leverage tools to improve efficiency. Coupled with a growth mindset, continuously learning and adapting to emerging threats and security trends. This position will play a key role in securing Xero’s software development lifecycle (SDLC), ensuring that security is embedded into engineering workflows while enabling teams to deliver secure products at scale.

Requirements

  • Extensive experience in Application Security, Secure Software Development, and DevSecOps practices. Hands-on experience with automated security testing tools, including SAST, DAST, SCA, and IaC security scanning. Proficiency in programming and scripting languages (Python, Java, Go, JavaScript, or similar); coupled with a strong understanding of secure coding principles, OWASP Top 10, SANS CWE, and software security best practices. Hands-on experience securing APIs, microservices, cloud-native applications, and serverless architectures Experience integrating security controls into CI/CD pipelines (Jenkins, GitHub Actions, GitLab CI, or similar). Solid background in vulnerability management, risk assessment, and application security triage; including incident response, investigating and mitigating application security breaches.