AVP / Senior Manager Application Security (SAST & SCA)

Role Overview

The ideal candidate will be responsible for overseeing **Static Application Security Testing (SAST)** and **Software Composition Analysis (SCA)** processes, strong secure coder, ensuring secure coding practices, and managing security risks within the software development lifecycle (SDLC). This role requires close collaboration with development, DevSecOps, and risk management teams to identify and remediate vulnerabilities effectively.

Key Responsibilities

1. SAST & SCA Strategy and Implementation

• Define, implement, and manage **SAST & SCA frameworks** to secure the banks applications.
• Lead the integration of security tools (e.g., Fortify, Checkmarx, SonarQube, Veracode, Snyk, Black Duck) into CI/CD pipelines.
• Continuously evaluate and enhance scanning methodologies to improve detection and remediation of vulnerabilities.

2. Vulnerability Management & Risk Mitigation

• Oversee the assessment, triage, and remediation of vulnerabilities identified through SAST & SCA scans.
• Establish risk-based prioritization for vulnerabilities, collaborating with development teams for timely fixes.
• Ensure compliance with industry standards (OWASP, NIST, ISO 27001, PCI-DSS) and internal security policies.

3. Collaboration & Stakeholder Management

• Work closely with development, DevOps, and security teams to promote secure coding practices
• Collaborate with third-party vendors for security tool management and support
• Present vulnerability trends, remediation progress, and risk insights to senior leadership and risk committees.

4. Governance, Training & Awareness

• Develop and enhance secure coding guidelines and best practices for development teams.
• Conduct security awareness sessions and training for developers on SAST/SCA findings and secure coding practices.
• Define and track key security metrics (KPIs/KRIs) to measure the effectiveness of the SAST & SCA programs.

Qualifications & Experience

• 8-10 years (SM) and 12-15 years (AVP) of experience in Application Security**, with a strong focus on SAST and SCA.
• Deep understanding of secure SDLC, DevSecOps, and CI/CD integration.
• Hands-on experience with **SAST & SCA tools** (Fortify, Veracode, Checkmarx, Snyk, Black Duck, SonarQube, etc.)
• Strong knowledge of **secure coding practices**, vulnerability remediation, and risk management
• Comprehensive Experience with **programming languages** (Java, .NET, Python, JavaScript) and their security implications
• Able to write secure code
• Experience in **regulatory compliance** frameworks (OWASP Top 10, NIST, ISO 27001, PCI-DSS, RBI Guidelines)
• Strong leadership and stakeholder management skills
• Certifications preferred:** CISSP, OSWE, OSCP, CSSLP or any relevant security certification