Embedded Security Assessment
Partner closely with application development teams, participating in sprint planning, design reviews, and code reviews to identify and mitigate security risks early in the delivery lifecycle.
Assess application security posture across all phases of delivery including architecture, source code, dependencies, APIs, authentication and authorisation mechanisms, data handling practices, and runtime behaviour.
Conduct threat modelling for new features, architectural changes, AI/agentic system integrations, and multi-tenant platform components, communicating identified risks in terms meaningful to both engineering and business stakeholders.
Evaluate CI/CD pipeline security including configurations, secrets management, artifact integrity, dependency supply-chain risks, and access controls.
Review cloud infrastructure (AWS) configurations to identify security gaps across identity and access management, network design, data protection, workload hardening, logging, and monitoring.
Assess multi-tenant boundary controls to identify cross-tenant data access paths, context confusion, and shared-resource leakage risks.
Assess AI and agentic system components including prompt injection risks, tool-call trust boundaries, agent privilege scope, MCP/orchestration layer exposures, and model output handling. Apply OWASP Top 10 for LLMs and emerging adversarial AI guidance.
Evaluate secrets management posture across repositories, CI/CD pipelines, environment configurations, serverless functions, and managed secrets services.
Perform security-focused code reviews, identifying OWASP Top 10 vulnerabilities as well as language and framework-specific security issues.
Remediation Guidance & Implementation
Produce clear, prioritised remediation recommendations with sufficient technical detail to enable development teams to remediate issues independently.
Directly implement security fixes where appropriate, including code changes, infrastructure-as-code (IaC) updates, CI/CD pipeline hardening, and cloud configuration corrections.
Provide hands-on support to developers through pairing, targeted guidance, and practical code examples.
Validate the effectiveness of remediations through retesting and evidence collection.
Track, manage, and report remediation progress against documented security findings, including framing of residual risk and regulatory exposure where relevant.
Assess authentication and authorisation implementations including OAuth 2.0/OIDC, JWT, RBAC/ABAC, session management, and service-to-service authentication patterns.
Review API security controls including input validation, rate limiting, schema enforcement, error handling, and gateway policies. Assess both REST and GraphQL surfaces.
Evaluate data protection practices including encryption in transit and at rest, PII and financial data handling, tokenisation, secrets management, and data minimisation.
Identify insecure design patterns and recommend secure alternatives aligned with OWASP and industry best practices.
Assess data layer security including database access controls, ORM injection paths, and data-tier privilege abuse patterns relevant to financial data environments.
AI & Agentic System Security
Assess the security of AI-integrated and agentic workflows, including prompt injection vulnerabilities, indirect prompt injection via tool outputs or retrieved data, and jailbreak risks.
Evaluate tool-call trust boundaries and agent authorisation scope, identifying paths to privilege escalation or unintended action execution within agentic pipelines.
Review MCP server configurations, orchestration layer access controls, and inter-agent communication patterns for authentication gaps and abuse paths.
Assess model output handling in downstream systems, identifying injection risks where model-generated content is rendered, executed, or passed to other services without adequate sanitisation.
Apply OWASP Top 10 for LLMs and emerging adversarial AI security guidance as a structured assessment framework, and contribute to its evolution based on findings in production systems.
Work with engineering and product teams to establish security patterns and guardrails for AI/agentic system design that are proportionate and operable in a regulated environment.
Assess existing CI/CD pipelines for security gaps and provide recommendations for process, tooling, and configuration improvements.
Support the integration of automated security testing including SAST, SCA, secrets scanning, container image scanning, IaC policy enforcement, and DAST where applicable.
Provide secure coding guidance and developer enablement resources to support a shift-left security culture within ES engineering.
Cloud Infrastructure Security (AWS)
Review and remediate AWS security controls across identity and access management (IAM roles and policies, permission boundaries, cross-account access, SSO/federation), network security (VPC architecture, segmentation, egress controls, security groups, WAF/Shield), data protection (KMS, encryption, backup strategies), and workload security (containers, serverless, hardened images, patch management).
Identify cloud misconfigurations using AWS-native services and third-party tooling, and implement or guide corrective actions.
Assess multi-tenant infrastructure configurations to validate that tenant isolation controls are correctly implemented and operationally maintained.
Risk Communication & Documentation
Produce high-quality assessment reports containing clear findings, risk ratings, and actionable remediation steps, framed in terms of business impact and regulatory exposure (SOC 2, MiFID II, DORA) as appropriate.
Maintain security findings registers and track remediation status through to closure.
Contribute to security runbooks, architectural patterns, and team-facing guidance documentation.
Participate in post-incident reviews, penetration test remediation, and vulnerability management processes.
