Head of AppSec

Contract Type Location Apply
Permanent London, Paris, Valencia, Munich or Amsterdam here

About you

You love working in a fast-moving, innovative environment that’s not constrained by loads of governance, and where everyone operates with a bias for action. You enjoy helping lots of different technical teams (from data engineering to front end UX) find the right approach for their situation. And, because you’ve seen the consequences (and probably the failures) of ‘best practice’, you’re not afraid to try out new things, (even if they might not work out first time round).

You’re looking to join a company that’s already made a great start in turning secure application development into business as usual, and has all the foundations you need to take us to the next level. You have a ton of ideas you can add into the mix, and you’re looking to put your creativity and problem solving skills to use.

Here is our CISO blog post on his Dream Head of Application Security candidate. If this is you, please apply now.

About the role

  • Be the driving force behind threat modelling, running our Security Champions network and unblocking issues
  • Work with multiple tech teams (from software to platform engineering teams) to discover issues and get fixes into sprints
  • Be the ‘go to’ expert on securing apps across our technology platforms (which range from legacy apps to running Kubernetes clusters in production)
  • Advise on risk assessment, application design, secure development and testing, engaging with everyone from developers to C-level execs
  • Manage code reviews, write application security standards, and select / make the business case for tech we need
  • Do some hacking (if that’s what’s needed) to discover issues in applications or APIs
  • Build automation into review, fix and validation stages of a continuous delivery pipeline

P.S We don’t expect you to be able to do everything listed above. We have a learning environment in the team for skills development, so don’t let this put you off if you think you might not be ‘senior enough’ (whatever that means!)

About the security team at Photobox Group

We operate transparently and work at pace to match the speed of delivery in technology teams across our business. Our guiding principles are: protect our customers and their experience with our products, hack ourselves first, and collaborate to maximise productivity.

We run a bit of a different structure to most teams, and we’re looking for new team members who can help us evolve and improve in how we operate, and how we integrate with business and technology teams to scale effectively. We have six ‘Heads of’ functions (AppSec, Risk, Detect, Fix, Engineering/Cloud and Operations) and we operate a lean and flexible team model of 6 full time team members and between 10-15 experts supporting us remotely at any given time.

You can have a read on our blog about what we’re up to and how we’re thinking. Most of our team are also on Twitter, so feel free to seek us out and say hello. We share a lot of stuff because we believe open sourcing ideas helps the industry evolve. We are heavily involved in the Open Security Summit, and we run a number of events over the year with our friends in Security teams at other Internet companies.

About the business, our tech journey and current projects

Photobox Group is the umbrella for a number of businesses in the UK, Amsterdam, France, Germany, Spain and France - some of which have been around since the early days of the Internet. All our businesses focus on giving our customers the ability to make magic moments, whether by creating gifts or personal mementos of memories and experiences for those closest to them. Our operations span from e-commerce cloud platforms to physical printing factories. They all operate as separate business entities, so as a Security team we operate like a Services Business to tailor what we deliver to their needs.

We’re on a fast and exciting technology transformation journey (one of our projects is codenamed Rollercoaster!) We’re not just changing parts of our technology stack; we’re in the process of completely re-building it. We’ve just migrated 10 Petabytes of data to AWS in record breaking time (hear our Chief Architect, Chris Astal, talk about it on this Photobox AWS Case Study), and we work very closely with AWS, who have changed their product roadmap several times to help us meet our targets! This means you’ll be working for a firm at the cutting edge of building and scaling e-commerce in the Cloud.

Things we’ll ask you to tell us about in the interview

  • What is your hands on development background in application engineering and architecture?
  • What are your stakeholder management and influencing skills like and what are some examples you can give us of success, failure, and what you learne?
  • What are the playbooks or frameworks you use for developer training and secure coding curriculum development?
  • How hands on can you get with AppSec testing, exploiting vulns, deploying and using technologies and creating secure app dev workflows that work with teams using agile processes?
  • What technology environments are you at home in and what’s your experience in AWS?

About us

Photobox Group is Europe’s leading digital consumer service for personalised products and gifts and parent of the Photobox, Moonpig, Hofmann and posterXXL brands.

Creative Commons License

© 2018, Photobox Group Security. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.


Photobox Group Security
Unit 7, Metal Box Factory
30 Great Guildford Street