Key skills
Java engineeringSecure SDLCVulnerability managementAppSec toolingCross-team collaborationIncident managementSecure codingThreat modelingRisk assessmentPythonJavaScriptTypeScriptKubernetesCommunication skillsJavaSaaSSDLCCI/CDCommunicationCollaborationSales
About this role
Camunda is a leader in enterprise agentic automation, orchestrating complex business processes across agents, people, and systems. The Senior Information Security Engineer will work collaboratively with product and engineering teams to ensure security is embedded throughout the software development lifecycle, focusing on secure Java services and enhancing AppSec practices.
Responsibilities:
- Partner with engineering teams throughout the SDLC – from early design and architecture discussions, through implementation and testing, to deployment – to embed security by design in our products
- Lead and evolve our AppSec tooling and workflows by implementing, tuning, and integrating SAST, DAST, SCA, and container/image scanning into CI/CD pipelines, and making sure findings are actionable for developers
- Drive vulnerability management for our applications and supply chain, including triaging and prioritizing issues, coordinating with teams on fix/mitigate/accept decisions, and ensuring we continuously improve our security posture
- Perform secure design and architecture reviews and threat modeling for distributed, API- and microservices-based systems, helping teams understand security trade-offs and make sound, risk-based decisions
- Support and help coordinate application-layer security incidents and escalations, working closely with Engineering, Support, and other stakeholders to investigate, contain, and learn from issues
- Together with the rest of InfoSec team, help with security audits, customer assurance, and other processes
Requirements:
- Ability and/or willingness to use our product https://accounts.cloud.camunda.io/signup?_ga=2.47330343.127558761.1654184528-504024057.1654184528
- Strong Java engineering and secure coding background, with substantial hands-on experience building and reviewing Java services, working in CI/CD environments, and shipping SaaS or other cloud-based applications securely
- Secure SDLC, architecture & risk assessment experience, including secure design reviews, threat modeling for distributed/API/microservices systems, and performing risk assessments on product changes or new features
- Vulnerability management & security tooling expertise, with a proven track record of implementing and tuning SAST/DAST/SCA and container/image scanning, evaluating and triaging findings (including false positives), and driving fix/mitigate/accept decisions with engineering teams
- Cross-team collaboration & communication skills, enabling you to work effectively with Engineering, Support, Sales, and other stakeholders while explaining complex security issues and trade-offs in a clear, pragmatic way to both technical and non-technical audiences
- Developer-centric, incident-savvy mindset, meaning you are comfortable managing and supporting security incidents and escalations, you see yourself as an enabler (not a gatekeeper), and you influence teams toward risk-based, practical security improvements
- Experience developing in Python, JavaScript, or TypeScript in addition to Java
- Hands-on experience securing Kubernetes- or container-based workloads and modern cloud environments
- Prior work in a B2B software company, especially in high-availability or multi-tenant contexts
- Experience running security training, talks, or workshops for engineering teams