Senior Test Engineer (Security)

DSIT • Full-time • Remote • £40.40k - £51.40k / year • 2w ago

Job summary

This is an exciting opportunity in the Digital Services team! You’ll be joining our team at a time of transformation, and you will be part of shaping the future of our department. We use Agile Methodologies and promote a culture of continuous improvement.

We are looking for an enthusiastic Senior Test Engineer (Non-Functional Security) with great technical skills, able to deliver and support security testing workstreams, including vulnerability assessments and penetration testing. You will also offer guidance to other testers on security testing best practices.

You will be part of our non-functional testing specialist team, working collaboratively with your team and overseeing the testing journey.

This provides an opportunity to make the test community thrive by exploring new and emerging tools and approaches and working out how you can help the organisation deliver better services.

This is a rewarding role within the Test Team and provides an opportunity to contribute to the success of existing and future services provided by Companies House.

Watch this video to find out more about working in Digital at Companies House

Companies House offers a flexible and welcoming culture that promotes a healthy work life balance as well as a proactive approach to wellbeing that allows us to be our best at work. We recognise that people are the key to our success so offer a fantastic benefits package including flexible working with no core hours, 30 days annual leave, 8 bank holidays and 1 privilege day as well as enrolment into the Civil Service Pension scheme with a contribution rate averaging 28%.

Find out more about what a great place Companies House is to work

We're able to consider both full-time and part-time working patterns for this opportunity. For part-time, this must be a minimum of 30 hours per week, over 4 or 5 days.

Please note - Companies House cannot offer Visa sponsorship to candidates through this campaign. Additionally, a Security Check (SC) is an essential requirement for this role (at least 3 out of the last 5 years in the UK). Please see 'Things you need to know' section below for more information.

Job description

As a Senior Test Engineer focusing on security you will;

Working within a delivery team, you’ll contribute to the coordination and execution of security testing across the software development lifecycle. This will involve running vulnerability scans using tools such as Burp, coordinating with relevant teams, testing security related issues.
Support the wider test team by sharing knowledge and guidance on security testing approaches and tooling.
Attend meetings and provide stakeholders with updates.
Design and implement pipeline solutions to support automated security testing and reporting.

For more information on the Test Engineering profession and skills expected of a Lead, head over to the Government Digital and Data Profession Capability Framework.

Person specification

We are looking for the following, which will be assessed at sift, technical stage and interview.

Experience in Security testing.
A relevant certification in ethical hacking or penetration testing, such as such as 7Safe CSTA or GIAC Penetration testing, OR currently working towards this OR have proven working experience.
Working knowledge of at least 5 of the following security tools and technologies:

Burp Suite (including Burp Scanner) – for web app vulnerability scanning and manual security testing.
OWASP ZAP – for DAST and automated security regression testing.
Postman or SOAP UI – for API testing with a security focus (e.g. injection, authorisation, token misuse).
OAuth2 / OpenID Connect – for testing secure authentication and access control scenarios.
Jenkins or Concourse – for integrating security testing into CI/CD pipelines.
Unix/Linux-based systems – for using command-line tools, analysing logs, and running manual tests.
AWS (or similar cloud provider) – with a focus on IAM, S3 access, and common misconfiguration risks.
SQL / MongoDB / Oracle – for testing injection flaws, access controls, and data sanitisation.
Karate DSL or Rest Assured – for automating security-focused API tests.
Git or other version control systems – for secure code handling and integration with security scanners.
Static Application Security Testing (SAST) tools – e.g. SonarQube, Checkmarx, Semgrep.
Dynamic Application Security Testing (DAST) tools – e.g. OWASP ZAP, Burp Suite Pro.
Infrastructure-as-Code (IaC) scanning tools – e.g. tfsec, Checkov.
Secrets detection tools – e.g. GitLeaks, truffleHog, detect-secrets.
Threat modelling approaches – e.g. STRIDE, or creating risk-based test charters.
Familiarity with the OWASP Top 10 – and how to test for each risk category.

Behaviours

We'll assess you against these behaviours during the selection process:

Making Effective Decisions
Managing a Quality Service
Working Together
Seeing the Big Picture

Technical skills

We'll assess you against these technical skills during the selection process:

Penetration testing / ethical hacking

Benefits

Alongside your salary of £40,398, Companies House contributes £11,703 towards you being a member of the Civil Service Defined Benefit Pension scheme. Find out what benefits a Civil Service Pension provides.

We believe that our success is driven by the well-being and satisfaction of our team members at all levels of the organisation. At Companies House we’re committed to providing a comprehensive benefits package that goes beyond the ordinary, ensuring your career journey with us is not only fulfilling, but also rewarding. We pride ourselves on offering a quality work-life balance with our employee wellbeing being central to our working practices.

Head to Our benefits - Working for us - Recruitment (companieshouse.gov.uk) to find out more about the fantastic benefits package we have at Companies House.

We celebrate diversity...

As an equal opportunity employer, we celebrate diversity, being committed to ensuring we’re representative of the citizens we serve and creating an inclusive environment. Everyone in Companies House brings something different, and so will you. To fulfil our commitment to recruiting and attracting diverse talent we welcome applications from underrepresented groups. We also welcome applications from Welsh speakers.

We are proud to be a disability confident leader. Our recruitment process is fully inclusive and we can make adjustments as needed through our process. These could include having an interview buddy, extra time at interviews/assessments and receiving interview questions in advance, to name a few.

If you require any reasonable adjustments at application stage, or if you'd like to discuss any person-centred adjustments, please contact us by emailing recruitmentCH@companieshouse.gov.uk.

Read our 'Applying under the Disability Confidence Scheme (DCS)' guide to find out how to successfully complete an application under the Disability Confidence Scheme (DCS).

Where will you be working?

We are currently using a hybrid approach to the way we work which provides opportunities for you to be adaptable in the way you work so that you can achieve a healthy balance between your work and home life. The degree of choice you have will depend on your role and your day-to-day work activities. Your manager will agree regular patterns of attendance with you, however you may be required to make yourself available to attend the office more frequently when required to meet business needs. Remote contracts will only be offered to successful candidates who are not a commutable distance to our Cardiff, Belfast or Edinburgh offices. If you are located at a reasonable distance to one our offices, you will receive a hybrid contract aligned to one of our offices.

Things you need to know

Selection process details

This vacancy is using Success Profiles (opens in a new window), and will assess your Behaviours, Experience and Technical skills.

In your application form we’d like you to:

Tell us about your employment history, including any key responsibilities and achievements.
Write a personal statement of 1000 words where you demonstrate how you meet the skills required for this role, providing examples to evidence your level of skill. In your personal statement we are looking for evidence of:

Experience in Security testing.
A relevant certification in ethical hacking or penetration testing, such as such as 7Safe CSTA or GIAC Penetration testing, OR currently working towards this OR have proven working experience is essential.
Working knowledge of at least 5 of the following security tools and technologies:

Burp Suite (including Burp Scanner) – for web app vulnerability scanning and manual security testing.
OWASP ZAP – for DAST and automated security regression testing.
Postman or SOAP UI – for API testing with a security focus (e.g. injection, authorisation, token misuse).
OAuth2 / OpenID Connect – for testing secure authentication and access control scenarios.
Jenkins or Concourse – for integrating security testing into CI/CD pipelines.
Unix/Linux-based systems – for using command-line tools, analysing logs, and running manual tests.
AWS (or similar cloud provider) – with a focus on IAM, S3 access, and common misconfiguration risks.
SQL / MongoDB / Oracle – for testing injection flaws, access controls, and data sanitisation.
Karate DSL or Rest Assured – for automating security-focused API tests.
Git or other version control systems – for secure code handling and integration with security scanners.
Static Application Security Testing (SAST) tools – e.g. SonarQube, Checkmarx, Semgrep.
Dynamic Application Security Testing (DAST) tools – e.g. OWASP ZAP, Burp Suite Pro.
Infrastructure-as-Code (IaC) scanning tools – e.g. tfsec, Checkov.
Secrets detection tools – e.g. GitLeaks, truffleHog, detect-secrets.
Threat modelling approaches – e.g. STRIDE, or creating risk-based test charters.
Familiarity with the OWASP Top 10 – and how to test for each risk category.

What will the process look like?

Sift

Once the advert has closed we will sift applications - this involves reading through them all, please bear with us as this can take some time.
We may raise the score required if we receive a high number of applications.
At sift candidates will be assessed against the experience listed in the advert and alongside your work history the panel will score your application against the following criteria:

Experience in Security testing.
A relevant certification in ethical hacking or penetration testing, such as such as 7Safe CSTA or GIAC Penetration testing, OR currently working towards this OR have proven working experience is essential.
Working knowledge of at least 5 of the numbered security tools and technologies listed above.

Technical assessment stage

Candidates successful at sift will progress to the assessment stage, where you will be asked to complete a technical activity to demonstrate the technical skills and experience listed in the job description.
Full details will be emailed across to candidates, including information about submission deadlines.
The technical assessment stage will be assessing Technical Skill: Penetration testing / ethical hacking.

Interview

Candidates successful at technical assessment stage will progress to the interview stage, where you will will be invited to attend an interview. This will conducted using Microsoft Teams.
We use a blended interview technique, allowing us to find out more about you.
We use the Success Profile framework and at interview we will use Success Profiles assessing the Behaviours, Technical Skills and Experience listed in the advert, and Strengths.
As part of your interview, you will be asked to discuss your technical assessment stage. This will be assessing Technical Skill: Penetration testing / ethical hacking.
After the technical assessment stage discussion , there will be Behaviour questions.
A reserve list may be held for up to 12 months from which further appointments may be made for the same or similar roles.

Key dates (dates are indicative only and could be subject to change)

Closing date: 20 July 2025 (at 23:55)
Sifting: 21 July - 1 August 2025
Technical assessment: w/c 4 August 2025
Interviews - w/c 18 August 2025 onwards

We’re committed to being diverse and inclusive, so please make your application anonymous by removing all identifying personal information (such as names and dates) from your employment history and personal statement.

Our recruitment process is underpinned by the principle of recruitment based on fair and open competition with decisions made on the basis of merit, as outlined in the Civil Service Commissioners’ Recruitment Principles.

Artificial Intelligence (AI)

We understand that you might use AI and other resources for your application; however, please ensure all information you provide is factually accurate, truthful, and original and doesn’t include ideas or work that isn’t your own. This is so that your application is authentically and credibly your own. Your application may be rejected if evidence of plagiarism or reliance on AI is detected. Examples include presenting the ideas and experience of others, or generated by artificial intelligence (AI), as your own.

If you are invited to interview, please be aware the use of AI tools is prohibited (including recording or note taking) and any suspected use may result in the termination of your interview and subsequent withdrawal from the campaign.

More information on the ways you should and shouldn’t use AI can be found here.

Sponsorship

Companies House cannot offer Visa sponsorship to candidates through this campaign. Companies House holds a Visa sponsorship licence but this can only be used for certain roles and this campaign does not qualify. Should you apply for this role and require sponsorship, your application may be rejected, and any provisional offers of employment withdrawn.

Security

Successful candidates must pass a Baseline Personnel Security Standard (BPSS) check before they can be appointed.

BPSS is an entry level security check. It uses the Police National Computer (PNC) to make sure a candidate has no convictions. The check returns evidence of any current criminal record and un-spent convictions under the Rehabilitation of Offenders Act 1974.

Successful candidates must meet the security requirements for Security Check (SC) before they can be appointed.

The requirement for SC clearance is to have been present in the UK for at least 3 of the last 5 years. Failure to meet the residency requirements will result in your security clearance application being rejected.

Further information on National Security Vetting

Nationality statement 

Candidates will be subject to UK immigration requirements as well as Civil Service nationality rules. If you're applying for a role requiring security clearance, please be aware that foreign or dual nationality is not an automatic bar. However certain posts may have restrictions which could affect those who do not have sole British nationality or who have personal connections with certain countries outside the UK.

As part of our recruitment process, it is essential for all candidates to independently verify their eligibility to work in the UK before applying. This includes a thorough check of your right to work to ensure compliance with UK employment laws, being mindful of the recent changes to going rates detailed on GOV.UK.

Please ensure you have the necessary documentation and permissions in place. Our team is dedicated to fostering a diverse and inclusive workforce and encourages applicants from all backgrounds to apply. However, it is the candidate's responsibility to ensure they meet the UK's legal requirements to work.

Feedback will only be provided if you attend an interview or assessment.

Security

Successful candidates must undergo a criminal record check.

Successful candidates must meet the security requirements before they can be appointed. The level of security needed is security check (opens in a new window).

See our vetting charter (opens in a new window).

People working with government assets must complete baseline personnel security standard (opens in new window) checks.

Nationality requirements

This job is broadly open to the following groups:

UK nationals
nationals of the Republic of Ireland
nationals of Commonwealth countries who have the right to work in the UK
nationals of the EU, Switzerland, Norway, Iceland or Liechtenstein and family members of those nationalities with settled or pre-settled status under the European Union Settlement Scheme (EUSS) (opens in a new window)
nationals of the EU, Switzerland, Norway, Iceland or Liechtenstein and family members of those nationalities who have made a valid application for settled or pre-settled status under the European Union Settlement Scheme (EUSS)
individuals with limited leave to remain or indefinite leave to remain who were eligible to apply for EUSS on or before 31 December 2020
Turkish nationals, and certain family members of Turkish nationals, who have accrued the right to work in the Civil Service

Further information on nationality requirements (opens in a new window)

Working for the Civil Service

The Civil Service Code (opens in a new window) sets out the standards of behaviour expected of civil servants.

We recruit by merit on the basis of fair and open competition, as outlined in the Civil Service Commission's recruitment principles (opens in a new window).

The Civil Service embraces diversity and promotes equal opportunities. As such, we run a Disability Confident Scheme (DCS) for candidates with disabilities who meet the minimum selection criteria.

The Civil Service also offers a Redeployment Interview Scheme to civil servants who are at risk of redundancy, and who meet the minimum requirements for the advertised vacancy.

Diversity and Inclusion

The Civil Service is committed to attract, retain and invest in talent wherever it is found. To learn more please see the Civil Service People Plan (opens in a new window) and the Civil Service Diversity and Inclusion Strategy (opens in a new window).

Apply and further information

This vacancy is part of the Great Place to Work for Veterans (opens in a new window) initiative.

The Civil Service welcomes applications from people who have recently left prison or have an unspent conviction. Read more about prison leaver recruitment (opens in new window).

Once this job has closed, the job advert will no longer be available. You may want to save a copy for your records.

Contact point for applicants

Job contact :

Name :
Katie Jones
Email :
kjones6@companieshouse.gov.uk

Recruitment team

Email :
recruitmentch@companieshouse.gov.uk

Further information

We welcome applications in Welsh / Rydym yn croesawi ceisiadau yn y Gymraeg. Selection for appointment to the Civil Service is on merit, on the basis of fair and open competition, as outlined in the Civil Service Commission’s Recruitment Principles. In accordance with the Civil Service Commissioners’ Recruitment Principles, our recruitment and selection processes are underpinned by the requirement of appointment on the basis of merit by fair and open competition. If you feel your application has not been treated in accordance with the Recruitment Principles and you wish to make a complaint, you should contact infopoint@companieshouse.gov.uk in the first instance. If you are not satisfied with the response you receive you can contact the Civil Service Commission . 

info@csc.gov.uk

Civil Service Commission, Room G/8, 1 Horse Guards Road SW1A 2HQ