Application Security Engineer

Role Summary

Application Security Engineer (VAPT & API Security) will be responsible for protecting our clients' web applications and APIs by serving as the subject matter expert (SME) for our Web Application Firewall (WAF) service. This role requires a strong offensive security mindset to conduct comprehensive vulnerability assessments, translate findings into effective WAF rules, and continuously tune policies to maintain a robust defense against emerging threats.

Key Responsibilities

Vulnerability Assessment (VA) & API Security

• Perform

  Vulnerability Assessments and light Penetration Testing

  on client web applications and APIs to identify critical security flaws.
• Deeply understand and provide effective mitigation strategies for common vulnerabilities, including the

  OWASP Top 10

  and

  OWASP API Security Top 10

  .
• Evaluate and ensure the security of modern API architectures, including

  REST and GraphQL

  , focusing on authentication (e.g., OAuth, JWT), authorization (BOLA/BFLA), and proper data handling.
• Collaborate with application development and DevOps teams to advise on

  secure coding practices

  and security architecture improvements.

WAF Management & Rule Tuning

• Design, implement, and manage

  custom security policies and rulesets across various WAF platforms (e.g., Cloudflare, Akamai, AWS WAF, ModSecurity) for diverse client applications.

• Proactively tune and optimize

  WAF policies to minimize

  False Positives (FPs)

  while ensuring high-fidelity threat detection and blocking.

• Conduct forensic analysis

  of WAF logs and security events to identify new attack vectors, bypassed rules, and adjust mitigations accordingly.
• Stay current with the latest

  CVEs and threat intelligence

  and rapidly deploy compensating WAF controls.

Required Qualifications and Skills

Foundational Expertise

• 2+ years of experience in an Application Security, Penetration Testing, or Security Engineering role.

• Expert-level knowledge

  of HTTP/HTTPS protocols, TCP/IP, and TLS/SSL.
• Proficiency with security tools such as

  Burp Suite Professional

  , OWASP ZAP, and various vulnerability scanners.
• Solid understanding of common attack techniques (SQLi, XSS, SSRF, Deserialization, XXE, Command Injection).

WAF & API Specific Skills (The Core)

• Mandatory:

  Proven hands-on experience in

  writing, customizing, and tuning WAF rules

  (e.g., ModSecurity/Coraza Rule Language, WAF custom policy language).
• Strong understanding of

  API security mechanisms

  and vulnerabilities (e.g., broken object level authorization - BOLA, excessive data exposure).
• Experience with

  cloud security platforms

  and WAF offerings in major environments (

  AWS, Azure, GCP

  ).

Desirable (Nice-to-Have) Skills

• Industry certifications such as

  OSCP, CEH, CISSP, GWEB,

  or relevant cloud certifications.
• Experience with

  Bot Management

  and Layer 7

  DDoS mitigation

  strategies.
• Familiarity with container security and microservices architecture.
• Experience in a

  client-facing service provider

  environment.

Job Type: Full-time