Search...

Senior Product Security Engineer

Blockchain.com logo
Blockchain.com

Blockchain.com is a financial services company and crypto finance house founded in 2011. It provides a platform for buying, selling, and trading cryptocurrencies, offering a crypto wallet, an exchange, and institutional services. It also provides key infrastructure for the crypto community, including a Blockchain Explorer and an API for building on Bitcoin. The company serves millions of users worldwide, from individuals to institutions, with the goal of accelerating crypto adoption. Its subsidiary, Blockchain Ventures, is a venture capital fund that supports and invests in distributed ledger technology (DLT) projects.

Distributed
About Blockchain.com

Blockchain.com, a crypto finance house established in 2011, pioneered key infrastructure for the bitcoin community with its Blockchain Explorer and an API for building on Bitcoin. The company offers a comprehensive suite of crypto products for both individual and institutional clients. For individuals, it provides a widely used self-custody crypto wallet for buying, selling, swapping, and earning rewards, alongside a high-speed trading exchange with 24/7 support. For institutional clients, the platform offers high-touch solutions like Spot OTC, derivatives, structured products, and margin lending. Blockchain.com also provides extensive blockchain data services, including a public explorer, a powerful data API, and industry-leading charts. Its subsidiary, Blockchain Ventures, is a venture capital fund created to support and invest in distributed ledger technology (DLT) projects that advance the industry and have a positive societal impact, aiming to build an open, fair, and accessible financial system.

View jobs by Blockchain.com

Skills

About the Role

You will operate the product security program for internally developed products across Consumer OTC and MRE lines. You are a senior, hands on professional who will design and run the secure development lifecycle, lead threat modeling and architecture reviews, own the security debt lifecycle, and architect automated pipelines that protect billions in transaction volume. You will translate technical findings into business prioritized remediation and raise developer capabilities so security is delivered by code and process.

Requirements

  • 4+ years total security engineering experience with at least 3+ years focused on application security.
  • Experience with Web, Mobile, Cloud, Infrastructure Pentests and Red Teaming (e.g., phishing).
  • Proven track record of shipping security automation using CodeQL Snyk or similar; familiarity with the SARIF ecosystem and ASPM workflows.
  • Expert level ability to audit and propose fixes in Kotlin Java TypeScript Python; familiarity with containerised deployments (Kubernetes).
  • Strong threat modeling experience and pragmatic architecture guidance for high stakes financial flows (AuthN/AuthZ Cryptography Payments).
  • Experience building CI checks, test harnesses and lightweight fuzzing property tests.
  • Excellent stakeholder skills — able to negotiate remediation with Engineering Directors and Product owners, balancing security requirements with business velocity.
  • Prior fintech/Trading/OTC product security experience or familiarity with custody/signing patterns.
  • Practical experience designing or deploying AI assisted security tooling, leveraging LLMs for automated software patch generation, or evaluating vulnerability detection agents within enterprise developer pipelines.
  • Prior experience operating alongside GRC frameworks, authoring developer facing security policies from scratch, and building automated policy-as-code gateway integrations.
  • Public track record of CVEs, security research, or open-source contributions to security tooling.
  • Advanced credentials such as OSCP OSWE CISSP or equivalent.
  • Experience with on-chain/off-chain integration, payment reconciliation, or smart contract security.
  • Familiarity with vulnerability management platforms (DefectDojo, Dependabot orchestration) and GRC/Gateway integrations.
  • Prior contributions to security automation and developer tooling (open source or internal).

Responsibilities

  • Act as a strategic security partner for product lines such as Consumer and OTC.
  • Own security gates for major feature releases and ensure security is integrated from design.
  • Operate and improve the secure development lifecycle including SAST SCA DAST, SARIF ingestion, PR review standards, CI/CD security automation, and vulnerability triage workflows.
  • Research, architect, and safely embed AI utilities and Large Language Model agents directly into the secure development lifecycle.
  • Lead threat modeling for sensitive flows including authentication, payments, custody, reconciliation and sign off on security architecture for critical designs.
  • Translate technical risks and regulatory demands into clear security policies.
  • Own the creation and upkeep of Application Security Standards reference architectures and secure coding baselines aligned to compliance requirements.
  • Oversee bug bounty triage and remediation strategy.
  • Perform deep dive code reviews of security sensitive pull requests, mentor on secure coding patterns, and provide remediation guidance.
  • Conduct deep dive code reviews on Java and Kotlin backend pull requests.
  • Produce data driven Security Debt packs and negotiate remediation into engineering roadmaps.
  • Define application runtime signals and work with SecOps to instrument logs and alerts.
  • Build and maintain product level test harnesses, fuzzing property tests and CI checks to prevent regressions.
  • Provide product level Incident Response expertise including test forensic runbooks and reproduction of payment and settlement incidents.
  • Define and own Product Security metrics and translate KPIs into high level risk reports for leadership to drive data backed resourcing decisions.
  • Coach junior product security engineers and security champions.

Benefits

  • Equity in the company
  • In office London four days per week
  • Work from Anywhere policy up to 20 days per year
  • ClassPass
  • Unlimited vacation (employee flexible time off)
  • Apple equipment