Security Engineer II


About Us: 

Booking Holdings (NASDAQ: BKNG) is the world leader in online travel and related services, provided to customers and partners in over 220 countries and territories through six primary consumer-facing brands: Booking.com, KAYAK, Priceline, Agoda.com, Rentalcars.com, and OpenTable. Our mission is to make it easier for everyone to experience the world.

 

Role Description:

As an Application Security Engineer at Booking.com, you will protect one of the world's largest travel platforms by operating and evolving our runtime defence capabilities — including WAF management, bot mitigation, and application-layer incident response. You will work closely with development and platform teams to embed security into the delivery lifecycle, and contribute to detection engineering that scales across our global infrastructure.

 

This role is for engineers who are as comfortable analysing HTTP traffic patterns as they are reviewing a pull request. We value people who learn from incidents rather than hiding them, and who bring intellectual honesty over the pretence of knowing everything.

 

Key Job Responsibilities and Duties

  • Implement, configure, and manage our Web Application Firewall (WAF) infrastructure to protect web applications from common security threats

  • Develop and maintain bot detection systems to identify and mitigate automated threats and malicious bot activity

  • Participate in incident response for application security events, supporting investigation, containment, and remediation

  • Contribute to security policies aligned with organisational requirements and industry best practices

  • Conduct regular audits and testing of WAF and bot detection rules to ensure effectiveness and minimise false positives

  • Collaborate with development teams to implement secure coding practices and review application architectures for security considerations

  • Build and maintain internal tooling and automation to scale security operations and reduce manual toil in detection and response workflows

  • Develop and maintain documentation for security controls, configurations, and incident response procedures

  • Stay current with the emerging threat landscape and proactively contribute to improving our security controls

 

What We Are Looking For:

  • 3+ years of experience in application security or information security roles. Equivalent experience is fully accepted in lieu of a formal degree.

  • Ability to think adversarially — understanding attacker goals and mapping them to defensive controls

  • Deep understanding of HTTP/S internals — headers, cookies, TLS handshake, request lifecycle, and how abuse patterns manifest at the protocol level.

  • Proficiency in Python for scripting, automation, and security analysis. Ability to read and reason about code in at least one additional language (Bash, JavaScript, or Java) is a plus.

  • Strong understanding of OWASP Top 10 vulnerabilities and mitigation strategies

  • Experience configuring and managing at least one WAF platform

  • Proficiency in analysing web traffic patterns to identify and respond to security threats

  • Experience contributing to incident response procedures and handling security events

  • Intellectual curiosity — evidenced by staying current with the threat landscape and learning independently

  • Strong analytical and problem-solving skills, including reasoning under ambiguity and incomplete information

  • Ownership mindset — able to drive tasks to completion and contribute proactively, without needing constant direction

  • Excellent communication skills to explain technical security concepts clearly to both technical and non-technical audiences

  • Knowledge of DevSecOps practices and tools for integrating security into CI/CD pipelines

Nice to Have:

  • Experience with AWS WAF and AWS Bot Control specifically

  • Experience with cloud security and securing applications in AWS, Azure, or GCP environments

  • Experience with API security and securing microservices architectures

  • Experience with threat modelling and risk assessment methodologies

  • Knowledge of compliance requirements related to application security (e.g., PCI DSS, GDPR)

  • Knowledge of machine learning and AI techniques for security analytics and anomaly detection

  • Experience with SIEM tools and security monitoring solutions

  • Security certifications such as OSCP, OSWA, or OSWE

  • Contributions to the security community through research, blog posts, or open-source projects

 

Benefits & Perks - Global Impact, Personal Relevance:

 

Booking.com’s Total Rewards Philosophy is not only about compensation but also about benefits. We offer a competitive compensation and benefits package, as well unique-to-Booking.com benefits which include:

  • Annual paid time off and generous paid leave scheme including: parent, grandparent, bereavement, and care leave

  • Hybrid working including flexible working arrangements, and up to 20 days per year working from abroad (home country)

  • Industry leading product discounts - up to 1400 per year - for yourself, including automatic Genius Level 3 status and Booking.com wallet credit

  • Living and working in Amsterdam, one of the most cosmopolitan cities in Europe

  • Contributing to a high scale, complex, world renowned product and seeing real-time impact of your work on millions of travelers worldwide

  • Working in a fast-paced and performance driven culture

  • Opportunity to utilize technical expertise, leadership capabilities and entrepreneurial spirit

  • Promote and drive impactful and innovative engineering solutions

  • Technical, behavioral and interpersonal competence advancement via on-the-job opportunities, experimental projects, hackathons, conferences and active community participation

  • Competitive compensation and benefits package and some great added perks of working in the home city of Booking.com

 

Diversity, Equity and Inclusion (DEI) at Booking.com: 

 Diversity, Equity & Inclusion have been a core part of our company culture since day one. This ongoing journey starts with our very own employees, who represent over 140 nationalities and a wide range of ethnic and social backgrounds, genders and sexual orientations. 

 Take it from our Chief People Officer, Paulo Pisano: “At Booking.com, the diversity of our people doesn’t just build an outstanding workplace, it also creates a better and more inclusive travel experience for everyone. Inclusion is at the heart of everything we do. It’s a place where you can make your mark and have a real impact in travel and tech.” 

We ensure that colleagues with disabilities are provided the adjustments and tools they need to participate in the job application and interview process, to perform crucial job functions, and to receive other benefits and privileges of employment.

Application Process: 

  • Let’s go places together: How we Hire

  • This role does not come with relocation assistance.

Booking.com is proud to be an equal opportunity workplace and is an affirmative action employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, gender, gender identity or expression, sexual orientation, national origin, genetics, disability, age, or veteran status. We strive to move well beyond traditional equal opportunity and work to create an environment that allows everyone to thrive.

 

 


Pre-Employment Screening

If your application is successful, your personal data may be used for a pre-employment screening check by a third party as permitted by applicable law. Depending on the vacancy and applicable law, a pre-employment screening may include employment history, education and other information (such as media information) that may be necessary for determining your qualifications and suitability for the position.

location icon

Locations

Amsterdam, Netherlands
building icon

Company

Booking.com
house icon

Remote

x-mark icon