Booking.com
Application Security Engineer II
Full details on LinkedIn
The complete job description, requirements, and application details are available on the original posting.
About Booking.com
Booking.com is a prominent global digital travel company based in Amsterdam, Netherlands. Founded in 1996, it has grown from a small startup into the world's largest accommodation booking platform. As part of Booking Holdings Inc., the company employs over 17,000 people across 198 offices in 70 countries, providing services in more than 40 languages. The platform offers a wide range of accommodations, including hotels, homes, and unique places to stay, with over 29 million listings in more than 150,000 destinations. Booking.com supports over 1.5 million bookings daily and also provides services for flights, rental cars, and tours. Its user-friendly website and app feature extensive guest reviews, helping travelers make informed choices. The company targets a diverse audience, catering to leisure and business travelers seeking reliable booking services worldwide.
Security at Booking.com
Compiled from public job postings, careers pages, and company materials. Data may not reflect current state — verify during interviews.
Security Philosophy
“Stated AppSec Mission: "Trust is at the heart of everything we do."– Security & Infrastructure (https://careers.booking.com/teams/security-infrastructure/), Company careers page, ⚠️ . Developer Enablement vs. Gatekeeping: "We enable developer self-service without sacrificing security."– HashiCorp blog (customer quote about Booking.com), Vendor blog. Risk Philosophy: "We're fully committed to helping you and your guests stay safe online."– Our commitment to cybersecurity (https://partner.booking.com/en-us/learn-more/cybersecurity-accommodation-partners), Partner help page, ⚠️ . Stated Pain Points or Goals (Verbatim): "Deliver a unified secrets management solution"– HashiCorp blog (Booking.com secrets team), Vendor blog. "In 2024, we blocked more than three million fraudulent accounts."– Our commitment to cybersecurity (https://partner.booking.com/en-us/learn-more/cybersecurity-accommodation-partners), Partner help page, ⚠️ . Gaps & Contradictions: - No public, verbatim statement found that explicitly defines Booking.com's AppSec mission beyond general security/trust messaging. — Information not publicly available. - No public, verbatim materials found that contrast "developer-first"vs. "security sign-off"using those exact terms. — Information not publicly available.”
Security Team
Org Structure & Reporting Line: "Our Security, Safety and Fraud teams are at the centre of protecting our customers"– Security & Infrastructure (https://careers.booking.com/teams/security-infrastructure/), Company careers page, ⚠️ . Key Public-Facing Leaders (top 1–3 with public profiles): Marnie Wilking, Title: VP / Chief Security Officer – profile and interview citations: Name, Title – Fairygodboss (profile) URL: https://fairygodboss.com/career-topics/booking-com-marnie-wilking Key Quote: "My goal for my team is that everyone loves the work they do."– Fairygodboss, Interview/profile. Team Size Estimate (as_of:): LinkedIn Search Query Used: "Booking.com application security""Application Security"site:linkedin.com OR "Booking.com"AND "security engineer"(used across LinkedIn/company index queries) Result: Information not publicly available. Active AppSec Job Postings (as_of:): Count: Information not publicly available. (Jobs pages list Security & Infrastructure roles broadly but no aggregated AppSec posting count found.) Common Skill/Tool Patterns (from public sources): "HashiCorp Vault"and related secrets management practices referenced in vendor case study about Booking.com's security work. "scaling HashiCorp Vault to handle 500+ requests per second"– HashiCorp blog, Vendor blog. Gaps & Contradictions: - No public org chart, explicit reporting line to CISO/CTO, or statement whether AppSec is centralized or embedded was found. — Information not publicly available. - No reliable public team-size figures or LinkedIn-derived ranges for Booking.com's AppSec team were found. — Information not publicly available.
Key Initiatives
Security Champions Program: Status: No Evidence Found. — Information not publicly available. "Shift Left"in Practice: "Developers get consistent access patterns"(context: self-service and platformization enabling developers) – HashiCorp blog, Vendor blog. Vulnerability Management Process: Intake: "In 2024, we blocked more than three million fraudulent accounts."— indicates detection/operational security scale but does not describe AppSec triage workflows. – Partner cybersecurity page, ⚠️ . Triage/Remediation: Information not publicly available. Secure SDLC Artifacts: "Setting up two-factor authentication (2FA)"– Securing your account (partner help), Partner help page. (This documents platform account security controls, not internal SDLC review requirements.) Recent Initiatives (Last 6 Months): Status: No AppSec-specific, publicly dated initiatives within the last 6 months (since) were found in company pages or public talks. — Information not publicly available. Gaps & Contradictions: - No public, verbatim descriptions of vulnerability triage SLAs, MTTR targets, or ticketing ownership were found. — Information not publicly available. - No public evidence of an official Security Champions program structure or named champions. — Information not publicly available.
Preparing for an AppSec interview?
Get the weekly briefing 2,000+ security pros trust.