Application Security Specialist

We are seeking an experienced professional to join us as an Application Security Specialist in our Pune, India office. This professional will be responsible for Implementing DevSecOps Practices across cloud environments & mature ZSs Application Security Program. This role requires strategic and out-of-box thinking, high technical expertise, and effective communication skills to proactively identify and address security risks.

What you'll do:

• Lead the design and implementation of DevSecOps framework, integrating security seamlessly into CI/CD pipelines across multiple environments and platforms.
• Collaborate with developers, SREs, and security teams to embed security controls and testing at build, deployment, and runtime stages.
• Build and manage automation for SAST, DAST, SCA, container security, and IaC scanning tools (e.g., SonarQube, Checkmarx, Snyk, Trivy, Terraform Scan).
• Analyze results from SAST, SCA, and DAST scans to validate findings, eliminate false positives, and work with development teams to prioritize and remediate security issues.
• Leverage expertise in TeamCity and AWS to build secure, scalable CI/CD pipelines and enforce security controls throughout the software delivery lifecycle
• Champion shift-left security practices by developing reusable pipelines, templates, and toolchains that promote secure coding and rapid feedback loops.
• Ensure ongoing visibility and reporting of security posture in cloud-native workloads, container platforms, and serverless environments.
• Lead training sessions and build developer-friendly resources to raise DevSecOps awareness across engineering teams.
• Stay current with evolving tools, threats, and best practices in secure software delivery, continuously innovating to improve security effectiveness and developer experience.
• Partner with product owners, developers, architects, and QA engineers to build secure-by-design applications.
• Provide mentorship and security guidance to internal stakeholders to raise overall security maturity.
• Collaborate closely with Application Security teams to align on secure development standards, threat modeling efforts, and triaging complex vulnerabilities identified during code and runtime analysis.

What you'll bring:

• Expertise in implementing DevSecOps practices in cloud-native CI/CD pipelines (e.g., GitLab CI, GitHub Actions, Jenkins, TeamCity, Azure DevOps, Bit-Bucket).
• Strong hands-on experience with application security tools such as SonarQube, Fortify, Checkmarx, Snyk, Veracode, BlackDuck, Burp Suite, OWASP ZAP.
• Knowledge of containerization and orchestration security (Docker, Kubernetes, Helm) and tools like Trivy, Kube-bench, and Aqua.
• Working knowledge of programming/scripting languages like Python, Java, JavaScript, C#, .Net or go.
• Familiarity with cloud-native security controls (AWS Security Hub, Azure Defender, GCP Security Command Center).
• Strong scripting skills in Python, Bash, or PowerShell for automation and tool integration.
• Ability to develop and enforce security guardrails, policies, and standards in automated and scalable ways.
• In-depth understanding of OWASP, CWE, CVE scoring, and secure SDLC methodologies.
• Ability to clearly document findings and communicate risk effectively to technical and non-technical stakeholders.
• Strong Collaboration, Communication and Interpersonal skills with the ability to collaborate effectively with cross-functional teams, communicate complex technical concepts to non-technical stakeholders, and build consensus around security initiatives.

Good to have skills and abilities:

• Knowledge of policy-as-code frameworks (e.g., OPA/Gatekeeper, Sentinel).
• Familiarity with DevSecOps Maturity Models and experience driving measurable security improvements across teams.
• Exposure to compliance automation for frameworks such as SOC 2, HIPAA, GDPR.
• Experience in chaos engineering, resilience testing, or runtime application self-protection (RASP).
• Experience with Infrastructure as Code (IaC) security using Terraform, CloudFormation, and tools like tfsec or Checkov.
• Experience and expertise in application penetration testing, including business logic abuse, authentication/authorization flaws, and client-side vulnerabilities
• Familiarity with common reconnaissance, exploitation, and post exploitation techniques.
• Experience in API security testing, including assessment of REST and GraphQL endpoints for issues such as broken object-level authorization (BOLA), mass assignment, injection flaws, and improper rate limiting.

Academic Qualifications:

• Bachelors in computer science /management of computer information/information assurance or Cybersecurity
• 6+ years of DevSecOps / Secure DevOps /Security Engineer/ Application & Cloud Security roles
• Must have Certifications: OSWE/CSSLP/ AWS Certified Solutions Architect / AWS Security Specialty
• Preferred Certifications: AWS CLP, GIAC (GCSA), GIAC (GWAPT), OSCP, OSWA, OSEP, eWPTX.