Product Security Engineer. You will never find a more wretched source of confusion and ambiguity. So, what does it mean to be a ProdSec Engineer?

There are competing theories regarding the definition. Product Security is the securing of a product that a company offers, rather than the company environment itself, and so, a ProdSecEngineer contributes in some facet to that goal.

Some people use this interchangeably with Application Security Engineer –an employee with SAST/DAST, secure code review skills.

What is a Product Security Engineer? The purest definition of the title is probably somebody who has the above skill set but adds into it some experience of Infrastructure Security, and even Detection & Response. Their security contributions have a broader perspective and take into account how an application interacts with underlying infrastructure, and what the threat scenarios and response would be if something did go wrong.

My recommendation if attempting to recruit this definition is typically to allow the last two elements to be skills learnt on the job. Trying to hire even one of these skill sets is a tall order in the current market.

The last definition would be to refer to any defined role within a team that focused exclusively on securing a product. I’ve seen Detection & Response Engineers termed ‘Product Security Engineers’ because they’re part of this dedicated setup.

Which definition sticks will be a matter of watching and waiting.