Lead Security Engineer (Application Security & Vulnerability Management)
Join Xero as a Lead Security Engineer to shape the way our teams approach application security and vulnerability management. Your leadership will influence secure development practices across the organisation.
Role & Impact
As a seasoned Lead Engineer/Tech Lead, you will be an acknowledged authority on application security, solving complex problems and influencing secure‑by‑design practices across multiple teams. You will act as a hands‑on technical leader, driving the implementation of secure software development practices, embedding security into our software development lifecycle, and prioritising and remediating vulnerabilities efficiently.
Your work will focus on uplifting security capabilities, automating controls, and balancing security with developer experience. You will lead initiatives to improve our security posture across software and cloud environments, mentor engineers, and foster a culture of shared security responsibility.
Initial Focus Areas
* Embedding automated security testing (SAST, DAST, SCA) and runtime tools into CI/CD pipelines to drive "shift‑left" security.
* Developing and refining automated vulnerability detection processes using AWS, GCP, and Terraform.
* Leading threat‑modeling exercises to proactively assess and mitigate risks before deployment.
* Supporting software development with a security focus, utilising languages such as .NET, Python, Java, or JavaScript.
Where & How You Can Work
Our team is based across Australia & New Zealand; this role can be based anywhere on the East Coast of Australia. We support flexible working arrangements—working from home, in our offices, or a combination of both.
Qualifications & Experience
* Deep expertise in Application Security and Vulnerability Management, especially within cloud‑native and modern architectures.
* Strong understanding of DevSecOps practices, including automated security testing and container security.
* Ability to influence without authority, aligning security priorities with business needs across engineering teams.
* Experience driving vulnerability management programs, including risk assessment and remediation strategies.
* Solid grasp of modern software delivery practices and coding proficiency in .NET, Python, Java, or JavaScript.
* Passionate about developer enablement and making security accessible to empower engineers to write secure code.
Additional Information
We champion a diverse and inclusive working environment and welcome all backgrounds. Applications are accepted on a rolling basis; we encourage you to apply even if your experience isn't a perfect match.
Seniority Level
Mid‑Senior level
Employment Type
Full‑time
Job Function
Information Technology
Software Development
#J-18808-Ljbffr