Mekari is Indonesia's no. 1 Software-as-a-Service (SaaS) company. With our ecosystem of software solutions—including Mekari Jurnal, Mekari Talenta, Mekari Qontak, and Mekari Flex, we aim to facilitate entrepreneurs and leaders as they accelerate the digital transformation of their businesses.

In our 10+ years of journey we have reached over 1 Million platform users, and we're not planning to stop any time soon. We need more people like you: builders and owners with calculated ambition who are ready to #ElevateThroughImpact and raise Indonesia's software standard.

Positon Overview : 
We're looking for a Product Security Engineer to join our team and help secure our products throughout their lifecycle. In this role, you'll work closely with engineering, product, and infrastructure teams to identify vulnerabilities, guide secure development practices, and respond to security incidents. You'll be a trusted advisor across the organization, someone teams turn to when they need security expertise on design decisions, code reviews, and emerging AI/ML threats.

Job Description:

• Vulnerability Assessment & Penetration Testing (VAPT)
  Plan and execute penetration tests and vulnerability assessments across our applications, APIs, and infrastructure. Prioritize findings by business impact and work with engineering teams to drive remediation. Track trends over time to identify systemic weaknesses.
• Security Assessment & PRD/RFC Review 
  Review product requirement documents and technical RFCs for security implications, especially for new features, architectural changes, and third-party integrations. Provide actionable threat models and recommendations early in the development cycle so security is built in, not bolted on.
• Security Consultancy
  Serve as a go-to resource for secure design, secure coding practices, and vulnerability remediation guidance. Partner with developers to solve hard security problems without slowing them down. Help teams make informed risk trade-offs.
• SAST & Secure Code Review
  Manage and tune static analysis tooling to reduce noise and surface real issues. Conduct manual secure code reviews for critical or high-risk components. Champion secure coding standards and contribute to internal security guidelines.
• Security Incident Support 
  Support incident response efforts by triaging product security issues, conducting root cause analysis, and recommending both immediate fixes and long-term preventive measures. Contribute to post-mortems and help improve the incident response process.
• AI/ML Security Guidance
  Advise teams on security risks specific to AI/ML systems, including adversarial inputs, model poisoning, data leakage, prompt injection, and supply chain risks in ML pipelines. Stay current on emerging threats in this space and translate research into practical guidance.

Requirements:

• Bachelor’s degree in Computer Science, Information Security, Cybersecurity, or related field (or equivalent experience).
• 2+ years of experience in application or product security, with a strong foundation in web application security, common vulnerability classes (OWASP Top 10 and beyond), and secure development lifecycles.
• Hands-on experience with penetration testing tools and methodologies (Burp Suite, custom scripting, etc.)
• Familiarity with SAST/DAST tools and the ability to tune them for real-world effectiveness
• Experience reviewing code in at least one or two major languages (Python, Go, Java, JavaScript, etc.)
• Comfort reading and contributing to technical design documents and threat models
• Exposure to AI/ML systems and an understanding of their unique attack surfaces
• Strong communication skills
• A collaborative mindset; you see yourself as a partner to engineering, not a gatekeeper

Nice to have :

• Relevant certifications (OSCP, OSWE, GWAPT, or similar)

• Experience building or improving security tooling and automation

• Background in bug bounty programs, either running one or participating

• Contributions to the security community (talks, blog posts, open-source tools)

Our team will review your application and will be in touch if your application is shortlisted to the next stage. If you do not hear from us in 30 days, we will keep your resume on file in case a relevant opportunity opens up. 

Don't forget to check our Recruitment FAQ at https://bit.ly/FAQMekariRecruitment  [ENG] or https://bit.ly/FAQRekrutmenMekari [INA] to find the answers to commonly asked questions regarding our recruitment process.

We wish you the best. Hope to see you around soon!