Application Security Lead

Application Security Lead

Security at Prolific isn't an afterthought, it's foundational to how we build. As a company trusted by world-leading research institutions and AI labs to handle sensitive data at scale, the security of our platform and the code that powers it is critical. We handle participant data, researcher credentials, payment flows, and API integrations, and we need someone to own how we protect all of it at the application layer.

As Application Security Lead, you'll own Prolific's application security strategy and be the most senior security engineering voice in the organisation. You'll define and drive our Secure Software Development Lifecycle (SSDLC), set the standard for how security is embedded into engineering, and get hands-on with code review, threat modelling, and security testing when it matters. You'll also manage our Senior Application Security Engineer and continue to own our compliance programme alongside these responsibilities.

This is a player-coach role. You won't just set strategy, you'll be in the code, leading by example, and building the security culture that scales with Prolific. You'll need deep engineering experience to earn the trust of our engineering teams, and deep application security experience to know where the real risks are.

You'll report to the Head of Engineering/Platform and work cross-functionally with product engineering, platform, data, TechOps, and legal teams. As we scale, there's a clear path for this role to grow into leading a broader security function.

What you’ll bring to the role

• Several years of experience in software engineering, you’ve built and shipped production systems at scale
• Several years in application security (testing, code review, threat modelling, vuln management)
• Expert knowledge of OWASP Top 10 (Web & API) and modern attack paths (e.g. auth flaws, SSRF, injection, business logic, supply chain)
• Strong understanding of modern architectures (microservices, APIs, event-driven systems)
• Python for security tooling and automation (Django a strong plus)
• Hands-on testing experience (e.g. Burp Suite) and manual assessment of apps/APIs
• Experience building and scaling SSDLCs, including CI/CD tooling (SAST, SCA, DAST, secrets)
• Experience leading threat modelling and security design reviews
• Strong engineering partnership skills, you influence through trust
• Experience with ISO 27001 / SOC 2 and translating controls into real engineering practices
• Clear communicator across technical and non-technical audiences

Nice to haves

• Experience mentoring or managing security engineers
• Experience with Django, Vue.js, MongoDB, GCP
• Security champions or bug bounty programmes
• Supply chain or infrastructure security (e.g. Terraform, Kubernetes)
• Hands-on certifications (OSCP, GWAPT, BSCP, CISSP)
• Experience building AppSec in a scaling company