Junior Product Security Engineer at Trainline

About us We are champions of rail, inspired to build a greener, more sustainable [Upgrade to PRO to see link] future of travel. Trainline enables millions of travellers to find and book the best value tickets across carriers, fares, and journey options through our highly rated mobile app, website, and B2B partner channels.  Great journeys start with Trainline 🚄  Now Europe’s number 1 downloaded rail app, with over 135 million monthly visits and £6.3 billion in annual ticket sales, we collaborate with 270+ rail and coach companies in over 40 countries. We want to create a world where travel is as simple, seamless, eco-friendly and affordable as it should be.  Today, we're a FTSE 250 company driven by our incredible team of over 1,000 Trainliners from 50+ nationalities, based across London, Paris, Barcelona, Milan, Edinburgh and Madrid. With our focus on growth in the UK and Europe, now is the perfect time to join us on this high-speed journey.  About the Security Team Join our dynamic team, where we focus on designing, implementing, and monitoring security controls to ensure a robust security posture in a fast-evolving environment. As part of our mission to continuously improve and mature Trainline's security capabilities, we work closely with cross-functional teams, including Cloud Engineering, SRE, Platform Engineering, and more, to integrate the latest technologies and best practices into our products. You will play a critical role in safeguarding all digital channels that collectively generate billions of pounds in annual ticket sales, ensuring that our systems stay secure, resilient, and innovative in the face of evolving threats. The Role As a Product Security Engineer Analyst, you'll contribute to the product security function by helping to embed security into our product development lifecycle, assist with vulnerability management, and work with cross-functional teams to improve security practices across Trainline's digital products. This role is ideal for someone early in their security career who is motivated to apply security thinking within modern cloud-native product environments, working alongside experienced engineers and product teams to improve the security posture of Trainline's platforms. What You'll Do SUPPORT SECURE DEVELOPMENT - Support the integration of security practices across the product development lifecycle, helping teams design and build secure services and features. - Work with teams to promote secure-by-default and a shift-left approach to security, ensuring security considerations are addressed early to reduce the risk and cost of fixing issues later. - Help integrate security checks (e.g., SAST, SCA, secret scanning) into CI/CD workflows to identify risks during development. - Assist in triaging and analysing findings from automated tooling, validating results, false positives, and partnering with engineering teams to prioritise and remediate security risks. VULNERABILITY TRIAGE & TRACKING - Review and triage incoming security issues from scans and bug reports. - Record, prioritise and help track remediation with developers and platform teams. - Contribute to vulnerability monitoring dashboards and reports. LEARNING & THREAT AWARENESS - Participate in threat modelling sessions and documentation efforts. - Stay updated on common application vulnerabilities and security best practices. - Shadow senior engineers in code reviews and security design discussions. SECURITY ADVOCACY - Help promote secure coding principles across teams by sharing guidance and resources. - Help improve developer adoption of security tools and best practices. - Support delivery of internal training sessions and documentation updates. COMPLIANCE AND STANDARDS - Assist with aligning product security practices with relevant security frameworks and standards (e.g., OWASP, NIST, ISO 27001, GDPR, PCI DSS). - Support regulatory compliance efforts and maintain evidence to meet audit requirements. Who You Are You are curious about how systems work and how they can be secured; bringing an aware consumer mindset that considers the intersection of technology, security, and product design. Must Have - Relevant education, training, or practical experience in cyber/information security or software engineering/development - Understanding of common security risks affecting applications, APIs, and distributed systems - Familiarity with secure coding principles, the software development lifecycle (SDLC) and threat modelling concepts - Exposure to security testing approaches such as SAST, DAST, or dependency scanning - Basic programming or scripting ability (e.g. Python, JavaScript, or similar) to support automation, analysis, or tooling - Interest in building or improving security tooling, automation, or developer workflows to help scale security across engineering teams - Strong analytical and problem-solving skills, with the ability to analyse and assess security risks in application designs, code, or deployed systems - Ability to collaborate effectively with engineers and communicate security concerns clearly Nice to Have - Bachelor's degree in Computer Science, Cybersecurity, Information Security, or a related technical field - Experience using security tooling such as Burp Suite, OWASP ZAP, Semgrep, Checkmarx, OxSecurity, or Snyk - Exposure to security reviews, threat modelling, penetration testing concepts, or risk assessments - Familiarity with security frameworks and standards such as OWASP, ISO 27001, PCI DSS, or GDPR - Familiarity with modern development environments, including AWS, CI/CD security checks, and API security testing - Scripting experience (Python/Bash) and exposure to AI or martech ecosystems is a plus - Experience gained through security coursework, certifications, personal projects, security research, CTF competitions, bug bounty programs, or open-source contributions is highly valued Candidates with software, data or platform engineering backgrounds with an interest in security are also encouraged to apply. What You'll Get - The opportunity to work on large-scale platforms used by millions of travellers across the UK and Europe, helping secure systems that support billions of pounds in annual ticket sales - Hands-on experience across modern product security practices, including threat modelling, secure design reviews, software supply chain security, AI security considerations, and security automation within CI/CD pipelines - The chance to collaborate closely with experienced security, platform, and product engineers, gaining exposure to real-world security challenges in a modern engineering environment - Opportunities to contribute to security research, experimentation, and tooling, helping improve Trainline's security capabilities and developer security experience - Exposure to broader security initiatives across the organisation, including collaboration with other security functions and engagement with partners or vendors where relevant - A supportive environment focused on mentorship, continuous learning, and career growth, including access to learning budgets, training resources, and professional development opportunities More information: Enjoy fantastic perks like private healthcare & dental insurance, a generous work from abroad policy, 2-for-1 share purchase plans, an EV Scheme to further reduce carbon emissions, extra festive time off, and excellent family-friendly benefits.  We prioritise career growth with clear career paths, transparent pay bands, personal learning budgets, and regular learning days. Jump on board and supercharge your career from day one!  We're operate a hybrid model to work and ask that Trainliners work from the office a minimum of 60% of their time over a 12-week period. We also have a 28-day Work from Abroad policy. Our values represent the things that matter most to us and what we live and breathe everyday, in everything we do:  - 💭 Think Big - We're building the future of rail  - ✔️ Own It - We focus on every customer, partner and journey  - 🤝  Travel Together - We're one team  - ♻️ Do Good - We make a positive impact  We know that having a diverse team makes us better and helps us succeed. And we mean all forms of diversity - gender, ethnicity, sexuality, disability, nationality and diversity of thought. That's why we're committed to creating inclusive places to work, where everyone belongs and differences are valued and celebrated. Interested in finding out more about what it's like to work at Trainline? Why not check us out on LinkedIn [Upgrade to PRO to see link] Instagram [Upgrade to PRO to see link] and Glassdoor [Upgrade to PRO to see link]