Lead Security Engineer (Application Security & Vulnerability Management)

The role and it’s impact

As a seasoned Lead Engineer/Tech Lead, you will be an acknowledged authority on application security & vulnerability management, solving engineering problems beyond your own team and influence others to make changes.

This role will act as a technical hands-on leader, driving the implementation of secure software development practices across the organisation. You will play a pivotal role in embedding security into our software development lifecycle, ensuring vulnerabilities are identified, prioritised, and remediated efficiently. By advocating for secure-by-design principles, you will help us move from reactive remediation to proactive prevention.

Your work will involve uplifting security capabilities and automating controls to enable engineering teams to deliver secure, scalable products without compromising agility. You will balance security with developer experience, leading initiatives to improve our security posture across software and cloud environments while acting as a mentor to foster a culture of shared security responsibility.

We're looking for somebody with a passion for security automation and security-as-code, who can leverage tools to improve efficiency. Coupled with a growth mindset, continuously learning and adapting to emerging threats and security trends.

The team & how they connect

You will work across multiple teams, acting as a trusted advisor on complex security challenges and championing secure engineering enablement. Collaborating closely with engineering, platform, and cloud teams, you will foster a culture where security is a shared responsibility rather than a blocker.

Initially, you will focus on

• Embedding automated security testing (SAST, DAST, SCA) and runtime tools into CI/CD pipelines to drive "shift-left" security.

• Developing and refining automated vulnerability detection processes using our tech stack which includes AWS, GCP, and Terraform.

• Leading threat modeling exercises to proactively assess and mitigate risks before deployment.

• Supporting software development with a security focus, utilising languages such as .NET, Python, Java, or JavaScript.

Where and how you can work

Our team is split across Australia & New Zealand, this role can be based anywhere in New Zealand.

We champion a diverse and inclusive working environment. We offer flexible working arrangements that allow you to balance your work and personal life. Whether you prefer working from home, in our beautiful offices, or a mix of both, we support the way you work best.

Here are some of the things we are looking for

• You bring deep expertise in Application Security and Vulnerability Management, specifically within cloud-native applications and modern architectures.

• A strong understanding of DevSecOps practices is essential, particularly regarding automated security testing and container security.

• You are comfortable influencing without authority, aligning security priorities with business needs while collaborating across engineering teams.

• Experience driving vulnerability management programs, including risk assessment and remediation strategies, will be key to your success.

• You possess a solid grasp of modern software delivery practices and can code in languages like .NET, Python, Java, or JavaScript.

• Passionate about developer enablement, you thrive on making security accessible and empowering engineers to write secure code.

Apply even if your experience isn't a perfect match! At Xero, we hire based on your skills, passion, and the unique perspective you can bring to enhance our culture and team.