Principal Software Engineer | DevSecOps | Product Security
Company: ServiceNow
Location: Orlando
Posted on: March 22, 2026
|
|
|
Job Description:
The ServiceNow Security Organization (SSO) delivers world-class,
innovative security solutions to reduce risk and protect the
company and our customers. We enable our customers to migrate their
most sensitive data and workloads to the cloud, accelerating our
business so that we are the most trusted SaaS provider. We create
an environment where our employees are proud to work and can make a
positive impact The DevSecOps team within Product Security is
responsible for building, integrating, and operating resilient
security services that protect the NOW platform, store
applications, mobile applications, and internal services. We
empower over 9,000 developers globally to build secure software by
embedding automated security tools and services throughout the
software development lifecycle. We are a collaborative and
innovative team, driving a security-first culture through
automation and continuous improvement. Role As a Principal Engineer
on the DevSecOps team, you will lead the development, deployment,
integration, and scale of security services to support SAST, Secret
Detection, Deep Code Search, and other Source Code Security
functions across ServiceNow. You will support Product Engineers and
Product Management across hundreds of BUs and understand how
security is an enabler to reduce product delivery cycle time and
security risk. In addition, you will ensure our embedded security
services provide the best developer experience with high fidelity
findings and actionable remediation guidelines. Finally, you will
lead the build of ServiceNow Apps and Services to support the
Product Security Organization’s security activities at scale and
make the world of work, work better for all of us. What you get to
do in this role: • Use your software engineering expertise to
engage in deep technical conversations with lead engineers across
the company, balancing security risk prioritization with empathy
for speed-to-market pressures. • Clearly articulate and prioritize
security risk to engineering peers and business unit leaders
(VP/SVP level), exercising diplomacy in high-visibility situations
and building metrics dashboards that resonate with both technical
and executive audiences. • Innovate with AI/ML technologies to
proactively identify, prioritize, and remediate security risks at
scale, applying intelligent automation to improve signal quality,
reduce false positives, and accelerate secure software delivery. •
Lead the architecture and development of our next-gen source code
security tools, including a suite of SAST, Secret detection, Code
Search and other services to secure our platform, store
applications, and cloud native services. You can see the forest
through the trees and prioritize service development areas by risk
and organizational readiness. • Design and advocate for security
service integrations at optimal points in the software development
lifecycle, enabling developers to discover and remediate issues
with zero friction. • Coach and mentor team members in their
personal and professional development, identify training
opportunities, and seek diverse perspectives to continuously
improve team capabilities. • Create targeted security training and
translate technical findings into actionable, practical guidance
that makes secure-by-default choices easier than insecure ones for
the entire engineering organization. Qualifications To be
successful in this role you have: • Experience in leveraging or
critically thinking about how to integrate AI into work processes,
decision-making, or problem-solving. This may include using
AI-powered tools, automating workflows, analyzing AI-driven
insights, or exploring AI’s potential impact on the function or
industry. • 15 years of software engineering experience with a
proven track record of influencing and delivering high-impact
projects across large organizations, and a demonstrated ability to
reduce complex systems into maintainable solutions that less
experienced engineers can operate with confidence. • Or similar
experience in combination with education • Deep expertise in
application security tooling and DevSecOps including 5 years
architecting, integrating, and operating security testing pipelines
(SAST, secret detection, SCA, DAST, container/IaC scanning) with
understanding of each tool classs strengths, limitations, false
positive tuning, optimal SDLC placement, and risk-based policy
enforcement. • Passion for security as an enabler—you believe
security accelerates innovation when implemented thoughtfully and
strive to create developer experiences that make security invisible
and effortless. • Demonstrated ability to challenge conventional
security approaches and evolve practices to meet the needs of
modern, cloud native, high velocity engineering organizations. •
Expert-level secure software development skills including secure
architecture design, threat modeling (STRIDE or similar
frameworks), security-conscious code review, secure API
development, and polyglot programming capabilities across multiple
languages and paradigms. • Proven ability to influence senior
leadership and drive cross-functional collaboration with experience
communicating security risk to VP/SVP-level stakeholders, making
tough decisions under pressure, and building trust across
engineering, product, and security organizations. • Strong
foundation in distributed systems, CI/CD, and automation with
experience designing secure, scalable distributed architectures,
implementing security gates in continuous deployment pipelines, and
building test automation frameworks that embed security validation
throughout the SDLC. • Track record of coaching, training, and
elevating organizational security capabilities through mentorship,
creating targeted training programs, and translating complex
security findings into practical secure-by-default guidance that
empowers thousands of developers • Experience with security
metrics, KPIs, and program maturity assessment including
establishing meaningful metrics (MTTR, vulnerability density,
coverage, escape rates), benchmarking against frameworks (BSIMM,
SAMM), and translating technical findings into risk-quantified
narratives for executive audiences. • Proficiency with AI-enabled
security practices and generative AI security fundamentals
including leveraging AI tooling to accelerate security workflows
while maintaining critical evaluation of AI outputs and
understanding both AI attack surfaces and adversarial AI use cases.
• BS in computer science or equivalent work experience. Nice to
have: • Hands-on experience with modern security tooling such as
Semgrep, CodeQL, or Checkmarx for SAST; GitGuardian, TruffleHog, or
detect-secrets for secret detection; Snyk, Dependabot, or Grype for
SCA; or equivalent tools in the application security ecosystem •
ServiceNow platform and application development experience
including familiarity with the NOW platform architecture, Scoped
Applications, Flow Designer, or custom app development that would
accelerate your ability to build native security services •
Experience scaling security programs at high-growth technology
companies with engineering organizations of 5,000 developers,
demonstrating patterns for balancing security rigor with developer
velocity at scale • Security certifications such as CISSP, OSCP,
CEH, CSSLP, or equivalent that demonstrate formal security training
and commitment to the discipline • Open-source security
contributions including contributions to security tools,
vulnerability disclosures, security research publications, or
active participation in security communities (OWASP, BSides, Black
Hat, etc.) • Cloud-native security expertise with experience
securing Kubernetes, containerized workloads, serverless
architectures, or infrastructure-as-code in AWS, Azure, or GCP
environments
Keywords: ServiceNow, South Beach , Principal Software Engineer | DevSecOps | Product Security, IT / Software / Systems , Orlando, Florida
