Application Security Specialist | DevSecOps

Shift is the leading AI platform for insurance.  Shift combines generative, agentic, and predictive AI to transform underwriting, claims, and fraud and risk - driving operational efficiency, exceptional customer experiences and measurable business impact.  Trusted by the world's leading insurers, Shift delivers AI when and where it matters most, at scale and with proven results.

Our culture is built on innovation, trust, and a drive to transform the insurance industry through our SaaS platform. We come from more than 50 different countries and cultures and together we are creating the future of insurance.

The security team is a critical component of Shift Technology as no organization is immune to cyber-crime. The team is responsible for protecting information throughout the security infrastructure, edge devices, networks, and data. We strive to stay up to date with the latest tactics hackers are employing in the field in order to prevent data breaches by monitoring and reacting to attacks but the first step is finding the most qualified professionals to lead the way. 

DESCRIPTION

As a Security Engineer within Shift, you will have end-to-end ownership of security for our products and platforms. This is a unified role that blends DevSecOps and SecOps, responsible for securing our software from the first line of code, through the CI/CD pipeline, and monitoring it in production to detect and respond to threats. You’ll join a small agile team and a company where you can own and drive, and progress your career to the next level.

As part of the Information Security Department, this role reports to the CISO.

RESPONSIBILITIES

Secure by Design (Shift Left)

• Working with data scientists, software delivery teams, and engineers, to ensure technical security standards and architectures are well understood and best practices are followed, so the software is developed with Security and Privacy by Design and by Default.
• Driving Application Security through defining technical policies, standards and guidelines and championing these throughout the organisation.
• Identification of systemic and cultural developer security issues, and remediation opportunities.
• Promote a mind-set of developing secure systems, transferring knowledge of security standards / processes and acting as a subject matter expert (SME).
• Leading and facilitating threat modeling exercises

Secure the Build & Deploy Pipeline (DevSecOps/AppSec)

• Automation of security testing (SAST, DAST, SCA, Vulnerability management)
• Ensuring full benefits realisation of relevant tooling.
• Ensure maximum code and infrastructure coverage.
• Ensure company-wide best practices for Secret Management, IaC Security, and SBOM.
• Security auditing of software developed by the company and its partners.
• Operate a software vulnerability management program, taking responsibility for the identification, production and improvement of meaningful metrics, and reporting on progress.
• Prioritise and manage the remediation of code defects.

Secure the Platform (Cloud Operations)

• Maintenance of a holistic view of the code and infrastructure estate, our security tooling coverage, and compliance readiness engineering.
• Collaborate with key stakeholders (including engineering leads, infrastructure, SRE, and cloud operations) to identify security risks, architectural flaws, process gaps, and software vulnerabilities
• Technical liaison with third parties on application security related discussions related to security.

Detect & Respond (Security Operations)

• Develop, maintain, and execute appropriate incident response processes to enable timely escalation, containment, and recovery of cyber security events.
• Work with other teams to identify recurring patterns and propose strategic actions to reduce risk.
• Provide clear, concise, and easily consumable communication with key technical and non-technical stakeholders so that incidents, KPIs, and KRIs are understood and appropriately addressed.
• Provide considered definitive technical responses to customer penetration tests.

SKILLS & BACKGROUND

The ideal candidate will have deep, hands-on expertise in either DevSecOps or Cloud Security, with a strong willingness and proven ability to operate across the full security lifecycle, including security operations and incident response.

Core Experience:

• 7+ years of experience in technical security roles with a degree in Computer Science, IT, Systems Engineering, or equivalent practical experience.
• Proven experience working in regulated environments (e.g., ISO 27001, SOC 2, GDPR) and with common security frameworks (OWASP, MITRE ATT&CK, NIST CSF).

Core Technical Expertise:

Deep, hands-on experience in at least one of the following core areas:

• DevSecOps & Application Security:
• Automating security testing (SAST, DAST, SCA) in CI/CD pipelines.
• Direct experience with application vulnerability management tools (e.g., GitHub Advanced Security, Tenable, ZAP, Burp Suite).
• Strong knowledge of API, web application, and software supply chain security (SBOM).
• Understanding of major development language frameworks (C#, Java, React, Python, etc.).
• Cloud Security & Security Operations:
• Strong knowledge of Azure security services (Entra ID Suite, Sentinel, Defender for Cloud, Key Vault, Policy).
• Direct experience with Cloud and Endpoint Security concepts and tools (e.g., Palo Alto Cortex XDR, Prisma SASE, CASB, DLP, CSPM, IDS/IPS).
• Proficiency with cloud networking and firewalling (e.g., Palo Alto Panorama/NGFWs, WAFs, Cloudflare).
• Knowledge of SIEM, SOAR, Detection and Response Engineering concepts.

Broad Technical Proficiencies:

• Strong knowledge of modern IDAM technology and concepts (e.g., Okta, SailPoint, PAM, SAML, OAuth/OIDC, SCIM).
• Experience with endpoint security, predominantly Windows
• Experience with Azure cloud infrastructure, container technologies (Kubernetes) and engineering scripting languages (Python, PowerShell, Terraform).
• Familiarity with managing vulnerability disclosure programs and tooling (e.g., HackerOne Bug Bounty, Drata, Jira).

Professional Attributes:

• Excellent communication skills with a proven ability to engage and collaborate well with technical teams, represent security at multiple levels, and act as a subject matter expert.
• A can-do attitude with the ability to own your own work, work independently, unblock yourself and others, and drive the team's mission forward.
• Strong attention to detail and analytical skills, a diligent and creative approach to problem-solving, and the ability to educate and guide others on security principles.
• Good situational awareness, a solid understanding of cybersecurity trends and a passion for continuous learning.

Recruitment Process

• TA Interview
• Security team interview
• Technical interview
• CISO interview
• CTO interview

To support our permanent, full time employees at every stage of their careers and lives, we provide a competitive total rewards and benefits package. Here are the global benefits we’d like to highlight:

• Flexible remote and hybrid working options
• Competitive Salary and a variable component tied to personal and company performance
• Company equity
• Multiple Learning and Development opportunities, including Focus Fridays, a half-day each month to focus on learning and personal growth
• Generous PTO and paid holidays
• Mental health benefits 
• 2 MAD Days per year (Make A Difference Days for paid volunteering)

Additional benefits may be offered by country - ask your recruiter for more information. Intern and Apprentice position are eligible for some of these benefits - ask your recruiter for more details.

At Shift we strive to be a diverse and inclusive workforce. We welcome applications from and hire people who will contribute to the diversity of our company, without regard to race, color, religion, marital status, age, national or ethnic origin, physical or mental disability, medical condition, pregnancy, genetic information, gender identity or expression, sexual orientation, or other non-merit criteria.

Shift Technology is committed to providing reasonable accommodations for qualified individuals with disabilities in our application and employment process. Should you require accommodation, please email accommodation@shift-technology.com and we will work with you to meet your accessibility needs.

Please be aware of scammers and only trust correspondence that comes from emails ending in "shift-technology.com". We will never do initial outreach to you via Whatsapp/Text/SMS, never ask for banking information or personal identification numbers (ex. Social Security Number) as part of our recruitment process.

Shift Technology does not accept unsolicited CVs from recruiters or employment agencies in response to the Shift Technology Careers page or a Shift Technology social media post. Any unsolicited CVs, including those submitted directly to hiring managers, are deemed to be the property of Shift Technology.