Principal Software Engineer | DevSecOps | Product Security

Company Description
It all started in sunny San Diego, California in 2004 when a visionary engineer, Fred Luddy, saw the potential to transform how we work. Fast forward to today - ServiceNow stands as a global market leader, bringing innovative AI-enhanced technology to over 8,100 customers, including 85% of the Fortune 500®. Our intelligent cloud-based platform seamlessly connects people, systems, and processes to empower organizations to find smarter, faster, and better ways to work. But this is just the beginning of our journey. Join us as we pursue our purpose to make the world work better for everyone.
Job Description
**PLEASE NOTE, THIS ROLE REQUIRES A MINIMUM OF 2 DAYS A WEEK IN ANYONE OF OUR SERVICENOW OFFICES THROUGH THE U.S.....If you cannot commit to 2 days per week in a ServiceNow Office..........PLEASE DO NOT APPLY, THANK YOU VERY MUCH**
The ServiceNow Security Organization (SSO)
The ServiceNow Security Organization (SSO) delivers world-class, innovative security solutions to reduce risk and protect the company and our customers. We enable our customers to migrate their most sensitive data and workloads to the cloud, accelerating our business so that we are the most trusted SaaS provider. We create an environment where our employees are proud to work and can make a positive impact
The DevSecOps team within Product Security is responsible for building, integrating, and operating resilient security services that protect the NOW platform, store applications, mobile applications, and internal services. We empower over 9,000 developers globally to build secure software by embedding automated security tools and services throughout the software development lifecycle. We are a collaborative and innovative team, driving a security-first culture through automation and continuous improvement.
Role
As a Principal Engineer on the DevSecOps team, you will lead the development, deployment, integration, and scale of security services to support SAST, Secret Detection, Deep Code Search, and other Source Code Security functions across ServiceNow. You will support Product Engineers and Product Management across hundreds of BUs and understand how security is an enabler to reduce product delivery cycle time and security risk.
In addition, you will ensure our embedded security services provide the best developer experience with high fidelity findings and actionable remediation guidelines. Finally, you will lead the build of ServiceNow Apps and Services to support the Product Security Organization's security activities at scale and make the world of work, work better for all of us.
What you get to do in this role:

• Use your software engineering expertise to engage in deep technical conversations with lead engineers across the company, balancing security risk prioritization with empathy for speed-to-market pressures.
• Clearly articulate and prioritize security risk to engineering peers and business unit leaders (VP/SVP level), exercising diplomacy in high-visibility situations and building metrics dashboards that resonate with both technical and executive audiences.
• Innovate with AI/ML technologies to proactively identify, prioritize, and remediate security risks at scale, applying intelligent automation to improve signal quality, reduce false positives, and accelerate secure software delivery.
• Lead the architecture and development of our next-gen source code security tools, including a suite of SAST, Secret detection, Code Search and other services to secure our platform, store applications, and cloud native services. You can see the forest through the trees and prioritize service development areas by risk and organizational readiness.
• Design and advocate for security service integrations at optimal points in the software development lifecycle, enabling developers to discover and remediate issues with zero friction.
• Coach and mentor team members in their personal and professional development, identify training opportunities, and seek diverse perspectives to continuously improve team capabilities.
• Create targeted security training and translate technical findings into actionable, practical guidance that makes secure-by-default choices easier than insecure ones for the entire engineering organization.

Qualifications
To be successful in this role you have:

• Experience in leveraging or critically thinking about how to integrate AI into work processes, decision-making, or problem-solving. This may include using AI-powered tools, automating workflows, analyzing AI-driven insights, or exploring AI's potential impact on the function or industry.
• 15+ years of software engineering experience with a proven track record of influencing and delivering high-impact projects across large organizations, and a demonstrated ability to reduce complex systems into maintainable solutions that less experienced engineers can operate with confidence.
• Or similar experience in combination with education
• Deep expertise in application security tooling and DevSecOps including 5+ years architecting, integrating, and operating security testing pipelines (SAST, secret detection, SCA, DAST, container/IaC scanning) with understanding of each tool class's strengths, limitations, false positive tuning, optimal SDLC placement, and risk-based policy enforcement.
• Passion for security as an enabler-you believe security accelerates innovation when implemented thoughtfully and strive to create developer experiences that make security invisible and effortless.
• Demonstrated ability to challenge conventional security approaches and evolve practices to meet the needs of modern, cloud native, high velocity engineering organizations.
• Expert-level secure software development skills including secure architecture design, threat modeling (STRIDE or similar frameworks), security-conscious code review, secure API development, and polyglot programming capabilities across multiple languages and paradigms.
• Proven ability to influence senior leadership and drive cross-functional collaboration with experience communicating security risk to VP/SVP-level stakeholders, making tough decisions under pressure, and building trust across engineering, product, and security organizations.
• Strong foundation in distributed systems, CI/CD, and automation with experience designing secure, scalable distributed architectures, implementing security gates in continuous deployment pipelines, and building test automation frameworks that embed security validation throughout the SDLC.
• Track record of coaching, training, and elevating organizational security capabilities through mentorship, creating targeted training programs, and translating complex security findings into practical secure-by-default guidance that empowers thousands of developers
• Experience with security metrics, KPIs, and program maturity assessment including establishing meaningful metrics (MTTR, vulnerability density, coverage, escape rates), benchmarking against frameworks (BSIMM, SAMM), and translating technical findings into risk-quantified narratives for executive audiences.
• Proficiency with AI-enabled security practices and generative AI security fundamentals including leveraging AI tooling to accelerate security workflows while maintaining critical evaluation of AI outputs and understanding both AI attack surfaces and adversarial AI use cases.
• BS in computer science or equivalent work experience.

Nice to have:

• Hands-on experience with modern security tooling such as Semgrep, CodeQL, or Checkmarx for SAST; GitGuardian, TruffleHog, or detect-secrets for secret detection; Snyk, Dependabot, or Grype for SCA; or equivalent tools in the application security ecosystem
• ServiceNow platform and application development experience including familiarity with the NOW platform architecture, Scoped Applications, Flow Designer, or custom app development that would accelerate your ability to build native security services
• Experience scaling security programs at high-growth technology companies with engineering organizations of 5,000+ developers, demonstrating patterns for balancing security rigor with developer velocity at scale
• Security certifications such as CISSP, OSCP, CEH, CSSLP, or equivalent that demonstrate formal security training and commitment to the discipline
• Open-source security contributions including contributions to security tools, vulnerability disclosures, security research publications, or active participation in security communities (OWASP, BSides, Black Hat, etc.)
• Cloud-native security expertise with experience securing Kubernetes, containerized workloads, serverless architectures, or infrastructure-as-code in AWS, Azure, or GCP environments

#SecurityJobs
For positions in this location, we offer a base pay of $240,100 to $420,200, plus equity (when applicable), variable/incentive compensation and benefits. Sales positions generally offer a competitive On Target Earnings (OTE) incentive compensation structure. Please note that the base pay shown is a guideline, and individual total compensation will vary based on factors such as qualifications, skill level, competencies, and work location. We also offer health plans, including flexible spending accounts, a 401(k) Plan with company match, ESPP, matching donations, a flexible time away plan and family leave programs. Compensation is based on the geographic location in which the role is located and is subject to change based on work location.
Additional Information
Work Personas
We approach our distributed world of work with flexibility and trust. Work personas (flexible, remote, or required in office) are categories that are assigned to ServiceNow employees depending on the nature of their work and their assigned work location. Learn more here . To determine eligibility for a work persona, ServiceNow may confirm the distance between your primary residence and the closest ServiceNow office using a third-party service.
Equal Opportunity Employer
ServiceNow is an equal opportunity employer. All qualified applicants will receive consideration for employment without regard to race, color, creed, religion, sex, sexual orientation, national origin or nationality, ancestry, age, disability, gender identity or expression, marital status, veteran status, or any other category protected by law. In addition, all qualified applicants with arrest or conviction records will be considered for employment in accordance with legal requirements.
Accommodations
We strive to create an accessible and inclusive experience for all candidates. If you require a reasonable accommodation to complete any part of the application process, or are unable to use this online application and need an alternative method to apply, please contact [email protected] for assistance.
Export Control Regulations
For positions requiring access to controlled technology subject to export control regulations, including the U.S. Export Administration Regulations (EAR), ServiceNow may be required to obtain export control approval from government authorities for certain individuals. All employment is contingent upon ServiceNow obtaining any export license or other approval that may be required by relevant export control authorities.
From Fortune. ©2025 Fortune Media IP Limited. All rights reserved. Used under license.