Principal Software Engineer | DevSecOps | Product Security

ServiceNow•Santa Clara, CA

20h•Onsite

About The Position

PLEASE NOTE, THIS ROLE REQUIRES A MINIMUM OF 2 DAYS A WEEK IN ANYONE OF OUR SERVICENOW OFFICES THROUGH THE U.S.....If you cannot commit to 2 days per week in a ServiceNow Office.......... PLEASE DO NOT APPLY, THANK YOU VERY MUCH The ServiceNow Security Organization (SSO) The ServiceNow Security Organization (SSO) delivers world-class, innovative security solutions to reduce risk and protect the company and our customers. We enable our customers to migrate their most sensitive data and workloads to the cloud, accelerating our business so that we are the most trusted SaaS provider. We create an environment where our employees are proud to work and can make a positive impact The DevSecOps team within Product Security is responsible for building, integrating, and operating resilient security services that protect the NOW platform, store applications, mobile applications, and internal services. We empower over 9,000 developers globally to build secure software by embedding automated security tools and services throughout the software development lifecycle. We are a collaborative and innovative team, driving a security-first culture through automation and continuous improvement. Role As a Principal Engineer on the DevSecOps team, you will lead the development, deployment, integration, and scale of security services to support SAST, Secret Detection, Deep Code Search, and other Source Code Security functions across ServiceNow. You will support Product Engineers and Product Management across hundreds of BUs and understand how security is an enabler to reduce product delivery cycle time and security risk. In addition, you will ensure our embedded security services provide the best developer experience with high fidelity findings and actionable remediation guidelines. Finally, you will lead the build of ServiceNow Apps and Services to support the Product Security Organization’s security activities at scale and make the world of work, work better for all of us. What you get to do in this role: Use your software engineering expertise to engage in deep technical conversations with lead engineers across the company, balancing security risk prioritization with empathy for speed-to-market pressures. Clearly articulate and prioritize security risk to engineering peers and business unit leaders (VP/SVP level), exercising diplomacy in high-visibility situations and building metrics dashboards that resonate with both technical and executive audiences. Innovate with AI/ML technologies to proactively identify, prioritize, and remediate security risks at scale, applying intelligent automation to improve signal quality, reduce false positives, and accelerate secure software delivery. Lead the architecture and development of our next-gen source code security tools, including a suite of SAST, Secret detection, Code Search and other services to secure our platform, store applications, and cloud native services. You can see the forest through the trees and prioritize service development areas by risk and organizational readiness. Design and advocate for security service integrations at optimal points in the software development lifecycle, enabling developers to discover and remediate issues with zero friction. Coach and mentor team members in their personal and professional development, identify training opportunities, and seek diverse perspectives to continuously improve team capabilities. Create targeted security training and translate technical findings into actionable, practical guidance that makes secure-by-default choices easier than insecure ones for the entire engineering organization.

Requirements

Experience in leveraging or critically thinking about how to integrate AI into work processes, decision-making, or problem-solving. This may include using AI-powered tools, automating workflows, analyzing AI-driven insights, or exploring AI’s potential impact on the function or industry.
15+ years of software engineering experience with a proven track record of influencing and delivering high-impact projects across large organizations, and a demonstrated ability to reduce complex systems into maintainable solutions that less experienced engineers can operate with confidence. Or similar experience in combination with education
Deep expertise in application security tooling and DevSecOps including 5+ years architecting, integrating, and operating security testing pipelines (SAST, secret detection, SCA, DAST, container/IaC scanning) with understanding of each tool class's strengths, limitations, false positive tuning, optimal SDLC placement, and risk-based policy enforcement.
Passion for security as an enabler—you believe security accelerates innovation when implemented thoughtfully and strive to create developer experiences that make security invisible and effortless.
Demonstrated ability to challenge conventional security approaches and evolve practices to meet the needs of modern, cloud native, high velocity engineering organizations.
Expert-level secure software development skills including secure architecture design, threat modeling (STRIDE or similar frameworks), security-conscious code review, secure API development, and polyglot programming capabilities across multiple languages and paradigms.
Proven ability to influence senior leadership and drive cross-functional collaboration with experience communicating security risk to VP/SVP-level stakeholders, making tough decisions under pressure, and building trust across engineering, product, and security organizations.
Strong foundation in distributed systems, CI/CD, and automation with experience designing secure, scalable distributed architectures, implementing security gates in continuous deployment pipelines, and building test automation frameworks that embed security validation throughout the SDLC.
Track record of coaching, training, and elevating organizational security capabilities through mentorship, creating targeted training programs, and translating complex security findings into practical secure-by-default guidance that empowers thousands of developers
Experience with security metrics, KPIs, and program maturity assessment including establishing meaningful metrics (MTTR, vulnerability density, coverage, escape rates), benchmarking against frameworks (BSIMM, SAMM), and translating technical findings into risk-quantified narratives for executive audiences.
Proficiency with AI-enabled security practices and generative AI security fundamentals including leveraging AI tooling to accelerate security workflows while maintaining critical evaluation of AI outputs and understanding both AI attack surfaces and adversarial AI use cases.
BS in computer science or equivalent work experience.

Nice To Haves

Hands-on experience with modern security tooling such as Semgrep, CodeQL, or Checkmarx for SAST; GitGuardian, TruffleHog, or detect-secrets for secret detection; Snyk, Dependabot, or Grype for SCA; or equivalent tools in the application security ecosystem
ServiceNow platform and application development experience including familiarity with the NOW platform architecture, Scoped Applications, Flow Designer, or custom app development that would accelerate your ability to build native security services
Experience scaling security programs at high-growth technology companies with engineering organizations of 5,000+ developers, demonstrating patterns for balancing security rigor with developer velocity at scale
Security certifications such as CISSP, OSCP, CEH, CSSLP, or equivalent that demonstrate formal security training and commitment to the discipline
Open-source security contributions including contributions to security tools, vulnerability disclosures, security research publications, or active participation in security communities (OWASP, BSides, Black Hat, etc.)
Cloud-native security expertise with experience securing Kubernetes, containerized workloads, serverless architectures, or infrastructure-as-code in AWS, Azure, or GCP environments

Responsibilities

Use your software engineering expertise to engage in deep technical conversations with lead engineers across the company, balancing security risk prioritization with empathy for speed-to-market pressures.
Clearly articulate and prioritize security risk to engineering peers and business unit leaders (VP/SVP level), exercising diplomacy in high-visibility situations and building metrics dashboards that resonate with both technical and executive audiences.
Innovate with AI/ML technologies to proactively identify, prioritize, and remediate security risks at scale, applying intelligent automation to improve signal quality, reduce false positives, and accelerate secure software delivery.
Lead the architecture and development of our next-gen source code security tools, including a suite of SAST, Secret detection, Code Search and other services to secure our platform, store applications, and cloud native services.
You can see the forest through the trees and prioritize service development areas by risk and organizational readiness.
Design and advocate for security service integrations at optimal points in the software development lifecycle, enabling developers to discover and remediate issues with zero friction.
Coach and mentor team members in their personal and professional development, identify training opportunities, and seek diverse perspectives to continuously improve team capabilities.
Create targeted security training and translate technical findings into actionable, practical guidance that makes secure-by-default choices easier than insecure ones for the entire engineering organization.