As a Senior Security Engineer, you'll enhance security in software development by implementing secure coding, automated testing, and collaborating with cross-functional teams. You'll ensure efficient security practices and awareness while integrating security controls into CI/CD pipelines.
Our Purpose
At Xero, we’re here to help you supercharge your business. We do this by automating routine tasks, surfacing actionable insights and connecting businesses with the right data, advisors and apps. When that happens, we’re not only making life better for small business, we’ll be building a stronger economy that can change the world.
About the role
Sitting within a newly formed Application Security team, this role will focus on secure software development, DevSecOps, security automation, and vulnerability management.
Day to day, you'll work cross-functionally with engineering, product, and security teams to build and improve security tooling, secure coding practices, and automated security controls that empower developers to plan, write, test, and deploy secure applications efficiently.
We're looking for somebody with a passion for security automation and security-as-code, who can leverage tools to improve efficiency. Coupled with a growth mindset, continuously learning and adapting to emerging threats and security trends.
This position will play a key role in securing Xero’s software development lifecycle (SDLC), ensuring that security is embedded into engineering workflows while enabling teams to deliver secure products at scale.
What you'll do
- Develop and implement secure coding practices, working closely with engineers to uplift security awareness and adoption
- Integrate automated security testing (SAST, DAST, SCA, IaC scanning) and security policy enforcement into CI/CD pipelines to identify vulnerabilities early.
- Work with DevOps and engineering teams to build security guardrails, ensuring frictionless security adoption; driving a "shift-left" security mindset by enabling teams with secure coding guidance, tooling, and risk-based security testing.
- Assist engineering teams in threat modeling to proactively identify and mitigate security risks in software designs. Ultimately looking to improve visibility and reporting of application security risks, helping teams understand and measure their security posture.
- Build and manage security automation tools, integrating them into existing developer workflows; contribute to DevSecOps initiatives, ensuring security controls are scalable, efficient, and developer-friendly.
- Participate in cross-functional security initiatives, working on security improvements that impact multiple teams. Continuously evaluate and improve security tools, scanning coverage, and security-as-code implementations.
What you'll bring with you
- Extensive experience in Application Security, Secure Software Development, and DevSecOps practices.
- Hands-on experience with automated security testing tools, including SAST, DAST, SCA, and IaC security scanning.
- Proficiency in programming and scripting languages (Python, Java, Go, JavaScript, or similar); coupled with a strong understanding of secure coding principles, OWASP Top 10, SANS CWE, and software security best practices.
- Hands-on experience securing APIs, microservices, cloud-native applications, and serverless architectures
- Experience integrating security controls into CI/CD pipelines (Jenkins, GitHub Actions, GitLab CI, or similar).
- Solid background in vulnerability management, risk assessment, and application security triage; including incident response, investigating and mitigating application security breaches.
Research has shown that women and underrepresented groups are less likely to apply to jobs unless they meet every single competency or experience . If you are excited about this role, but your past experience doesn't align perfectly, we encourage you to apply anyway. You could be just the right person for this role and Xero. If you have any support or access requirements, we encourage you to advise us at time of application and throughout the interview process.
Why Xero?
Offering very generous paid leave to use however you’d like (plus statutory holidays!), dedicated paid leave to care for your physical and mental wellbeing as well as an Employee Assistance Program to access mental health care for you and your family. Health insurance, life insurance, and income protection.
We offer wellbeing and sports programmes, employee resource groups, 26 weeks of paid parental leave for primary caregivers, an Employee Share Plan, beautiful offices, flexible working, career development, and many other benefits that reflect our human value.
You’ll do the best work of your life at Xero!
Top Skills
Dast
Github Actions
Gitlab Ci
Go
Iac
Java
JavaScript
Jenkins
Python
Sast
Sca
Xero Hawthorn West, Victoria, AUS Office
Xero Melbourne (HQ) Office
Xero’s head office in Australia is in the buzzing suburb of Hawthorn, a stone’s throw from the CBD. Here, a diverse mix of Xeros work in both global and regional teams.
Similar Jobs at Xero
Cloud • Fintech • Information Technology • Machine Learning • Software
Lead teams focused on Security Governance and Data Protection, implementing DLP controls, automation for compliance, and managing identity governance within cloud security architecture.
Top Skills:
AWSDlpGCPIsoSaseSoc2
Cloud • Fintech • Information Technology • Machine Learning • Software
As a Senior Security Network Engineer, you'll manage network security, automate protocols, ensure compliance, optimize network performance, and mentor engineers.
Top Skills:
FirewallsLan SwitchingPythonSaseSd-WanTerraformVpnWanWifiZtna
What you need to know about the Melbourne Tech Scene
Home to 650 biotech companies, 10 major research institutes and nine universities, Melbourne is among one of the top cities for biotech. In fact, some of the greatest medical advancements were conceptualized and developed here, including Symex Lab's "lab-on-a-chip" solution that monitors hormones to predict ovulation for conception, and Denteric's vaccine for periodontal gum disease. Yet, the thousands of people working in the city's healthtech sector are just getting started, to say nothing of the tech advancements across all other sectors.
