Lead Security Engineer, Web Development

Lead Security Engineer

Experience Level: 7-10 years

Location: Pune

Come work at a place where innovation and teamwork come together to build products that make the world safe.

Why Qualys

Qualys, Inc. is a pioneer and leading provider of cloud security and compliance solutions. Qualys helps organizations simplify security operations and lower the cost of compliance by delivering critical security intelligence on demand and automating the full spectrum of auditing, compliance and protection for IT systems and web applications via its award winning Qualys Cloud Platform.

About Product Security at Qualys

The Product Security team operates differently. Simply put, build programs and resources to support the company exceed on goals related to the security of the customer experience on Qualys. We prevent problems from becoming incidents.

About This Role

Lead Security Engineer

Typical Duties

• Lead web application security initiatives across multiple product lines.
• Develop security automations for product security shift left initiatives.
• Perform application security assessments including static/dynamic code analysis, and manual testing.
• Conduct secure code reviews for applications developed in Java and/or Python, ensuring adherence to best practices and compliance standards.
• Collaborate with development teams to design and implement secure coding practices and provide remediation guidance for identified vulnerabilities.
• Build prototypes of security capabilities, collaborate with developers on improvements, help Qualys ship security in our products.
• Drive threat modeling exercises and identify application design risks.
• Establish and improve processes for integrating security into CI/CD pipelines.
• Serve as a subject matter expert (SME) for web application security, mentoring engineers and raising security awareness.
• Stay current with the latest application security trends, vulnerabilities (e.g., OWASP Top 10, SANS 25), and relevant tooling.
• Partner with product, DevOps, and infrastructure teams to build a comprehensive secure SDLC framework.

What You’ll Bring

• Bachelor’s degree

  in computer science, Information Security, or related field (or equivalent practical experience).
• 7+ years of overall software security experience at product-led companies.
• Minimum 3 years of hands-on experience focused on Java, Python and/or Golang development.
• Extensive experience in event-driven architectures, multi-tenant solutions, software patterns, and mature web middleware used in SaaS applications.
• Proven track record of driving complex security initiatives through cross-functional collaboration and influence.
• Strong background in application security and product security.
• Hands-on practical experience delivering enterprise level cybersecurity solutions and controls via Threat Modeling and Security Design & Architecture Reviews.
• Proven experience in DevSecOps capabilities, test-driven development, client-side software, and microservice architecture.
• Knowledge of cybersecurity architecture, applications, and technical processes with considerable, in-depth knowledge in one or more technical disciplines (including but not limited to Private Cloud deployment, artificial intelligence, machine learning etc.).
• Proven hands-on experience with:
• Application security testing (SAST, DAST, IAST, manual penetration testing).
• Performing and leading secure code reviews.
• Identifying and remediating common web application vulnerabilities.
• Familiarity with OWASP Top 10, CWE/SANS Top 25, and other application security standards.
• Experience within Product Security including but not limited to:
• Deploying products using Cloud and containers technology (e.g. GCP, AWS, Kubernetes, Docker)
• Securing APIs and micro-services
• Securing Software as a Service (SaaS) tool and managing their security baseline posture
• Software Supply Chain Security
• Mentoring and developing security point of contacts/ experts within development teams who will act as helping hands for the product security team.

Nice to have

• Experience integrating security tools into CI/CD pipelines (Jenkins, GitHub Actions, GitLab CI, etc.).
• Exposure to cloud security (AWS, Azure, GCP) in the context of web applications.
• Certifications such as OSWE, OSCP, GWAPT, or CSSLP are a plus.
• Prior experience mentoring or leading a small security team.

Soft Skills

• Excellent communication and collaboration skills to work across engineering and product teams.
• Ability to translate complex security issues into clear guidance for developers.
• Strong problem-solving mindset with a balance of pragmatism and security rigor.