Sr Product Security Engineer

Join the ServiceNow Product Security team, dedicated to holistically improving security program maturity. As a Senior Product Security Engineer within the Secure Software Development Lifecycle (SSDL) team in Hyderabad, Telangana, India, you will play a crucial role in measuring and enhancing security activities. This includes leading product threat modeling, improving security behaviors, and managing a highly visible security champions program, blending technical expertise with strategic vision.

In this role, you will collaborate with developers and software architects to build secure and resilient software. You will conduct threat modeling for software products and services to identify potential risks and participate in architectural reviews of products under development. A significant aspect of this position involves ensuring the continued success of our large and growing security champions program, mentoring security champions, and guiding them in secure software design.

Key responsibilities include:

• Working with a diverse range of technologies.
• Addressing complex architectural and technical challenges.
• Participating in threat modeling activities.
• Mentoring and collaborating with development teams to adopt secure coding practices.
• Contributing to strategic and high-visibility security initiatives across the organization.
• Acting as a security advocate and actively participating in the security champions program.

Qualifications include:

• Experience integrating AI into work processes, decision-making, or problem-solving.
• Over 4 years of experience in Software Security (AppSec).
• Over 1 year of experience in threat modeling software applications and services.
• Proficiency in threat modeling methodologies like STRIDE or PASTA and their application in fast-paced, iterative development lifecycles.
• In-depth understanding of common web application vulnerabilities (OWASP Top 10).
• Developer-level proficiency in languages such as Python, Java, JavaScript, and Golang.
• Knowledge of authentication and authorization standards (OAuth, OIDC, SAML, JWT, PASETO).
• Understanding of cryptography (symmetric/asymmetric, digital signatures, PKI, TLS, cryptographic hash functions).
• Familiarity with cloud-native technologies (containers, Kubernetes, AWS, GCP, Azure services).
• Knowledge of SAST, DAST, and SCA security tools.
• Familiarity with OWASP ASVS, SCVS, and related verification standards.
• Ability to collaborate effectively in a distributed team environment.
• Skill in communicating technical concepts to business stakeholders.
• A strong passion for security.