WHAT YOU’LL BRING WITH YOU

• 
  
  
  
• Extensive experience in Application Security, Secure Software Development, and DevSecOps practices.

• Hands-on experience with automated security testing tools, including SAST, DAST, SCA, and IaC security scanning.
• Proficiency in programming and scripting languages (Python, Java, Go, JavaScript, or similar); coupled with a strong understanding of secure coding principles, OWASP Top 10, SANS CWE, and software security best practices.
• Hands-on experience securing APIs, microservices, cloud-native applications, and serverless architectures
• Experience integrating security controls into CI/CD pipelines (Jenkins, GitHub Actions, GitLab CI, or similar).
• Solid background in vulnerability management, risk assessment, and application security triage; including incident response, investigating and mitigating application security breaches.
  Research has shown that women and underrepresented groups are less likely to apply to jobs unless they meet every single competency or experience . If you are excited about this role, but your past experience doesn’t align perfectly, we encourage you to apply anyway. You could be just the right person for this role and Xero. If you have any support or access requirements, we encourage you to advise us at time of application and throughout the interview process.

OUR PURPOSE

At Xero, we’re here to help you supercharge your business. We do this by automating routine tasks, surfacing actionable insights and connecting businesses with the right data, advisors and apps. When that happens, we’re not only making life better for small business, we’ll be building a stronger economy that can change the world.

ABOUT THE ROLE

Sitting within a newly formed Application Security team, this role will focus on secure software development, DevSecOps, security automation, and vulnerability management.
Day to day, you’ll work cross-functionally with engineering, product, and security teams to build and improve security tooling, secure coding practices, and automated security controls that empower developers to plan, write, test, and deploy secure applications efficiently.
We’re looking for somebody with a passion for security automation and security-as-code, who can leverage tools to improve efficiency. Coupled with a growth mindset, continuously learning and adapting to emerging threats and security trends.
This position will play a key role in securing Xero’s software development lifecycle (SDLC), ensuring that security is embedded into engineering workflows while enabling teams to deliver secure products at scale.

WHAT YOU’LL DO

• 
  
  
  
• Develop and implement secure coding practices, working closely with engineers to uplift security awareness and adoption

• Integrate automated security testing (SAST, DAST, SCA, IaC scanning) and security policy enforcement into CI/CD pipelines to identify vulnerabilities early.
• Work with DevOps and engineering teams to build security guardrails, ensuring frictionless security adoption; driving a “shift-left” security mindset by enabling teams with secure coding guidance, tooling, and risk-based security testing.
• Assist engineering teams in threat modeling to proactively identify and mitigate security risks in software designs. Ultimately looking to improve visibility and reporting of application security risks, helping teams understand and measure their security posture.
• Build and manage security automation tools, integrating them into existing developer workflows; contribute to DevSecOps initiatives, ensuring security controls are scalable, efficient, and developer-friendly.
• Participate in cross-functional security initiatives, working on security improvements that impact multiple teams. Continuously evaluate and improve security tools, scanning coverage, and security-as-code implementations.