Manager - VAPT & AppSec

The Role Description:

AppSec and Vulnerability Management business function

Key General Responsibilities:

•  Lead and drive the AppSec & Vulnerability management function and service delivery by new projects acquisition, project delivery through execution & operations support
• Strong leadership skills with the ability to lead department and manage functional teams
• Build and grow the competency through hiring and developing the current team
• Provide strong technical leadership to the delivery team, partners and customers
• Results-oriented and ability to think big can work backward from customers needs
• Project Management, Service Management, Customer handling, Quality assurance
• Highly effective communicator and demonstrated ability to work cross-functionally, with a track record of delivering results and demonstrating strong ownership
• People management and accountable for hiring, talent development, performance management, succession planning, coaching to direct reports, and engagement for the teams
• Excellent communication and interpersonal skills, with the ability to influence and engage stakeholders at all levels within the organization and with customers, partners/vendors
• Support sales strategy to meet agreed business revenue through pre-sales & appropriate solutions
• Identify and grow new opportunities with existing customer and ensure customer satisfaction and retention

Key Technical Responsibilities:

• As Technical leader, drive future strategy around Threat intelligence, security architecture reviews, vulnerability management, security configuration, DevSecOps and application security
• Perform manual/automation internal and external vulnerability assessments in IT/Cloud and OT
• Perform security control assessment and vulnerability assessments in OT environment
• Perform Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), and Interactive Application Security Testing (IAST) to identify vulnerabilities in software applications
• Conduct Vulnerability Assessment and Penetration Testing (VAPT) in Web, Android and API
• Perform Gray Box and/or Penetration testing on WEB, API and Mobile Device (Android)
• Complete project work with quality and within deadlines as required, complete the analysis and draw comprehensive conclusions, making appropriate recommendations and mitigation plan
• Communicate technical impact and business risk to a non-technical audience after the project
• Provide expert advice on the selection and implementation of appropriate Security Assessment / Testing software and tools
• Implement and manage DevSecOps by utilizing Software Assurance Maturity Model (SAMM) to evaluate and improve the security of software development processes
• Follow security standards and frameworks, and implement best practices methodologies
• Work closely with product development teams to ensure secure coding practices are followed
• Educate customers, technical team, application developers about Emerging threat and vulnerability, application security to raise awareness and build a Security Champion program

General Experience Requirement for the role:

• Having 8+ years of experience in the leading and managing Threat & Vulnerability competency, projects and customer engagements
• Having 6-8 years of core hands-on experience in fields of cyber-Security, security standards, best practices, vulnerability assessments, web application testing, network and mobile application assessment, and penetration testing
• 1-2 years of experience in enterprise security management, security products/solution integration/security operations, with good understanding of Network and system security concepts and standards, security best practices
• Experience building and leading and managing security teams with experience in Cyber security practices, AppSec, threat intelligence, vulnerability management, penetration testing, infrastructure security assessment
• Excellent Project Management, Service Management and customer handling skills
• Possess excellent written, presentation and verbal communication skills necessary for team coordination, helping partners, and service discussions along with organizational skills
• Good analytical skills with an ability to think outside the box to solve highly technical problems
• Ability to work effectively with clients, management, staff members, vendors, and consultants
• Good interpersonal skills to interact and collaborate with senior management stakeholders such as IT, Network and Security and CIO/ CTO/ business leadership teams
• Ability to work calmly with patience in high pressure situations in a dynamic environment

Education and Certification preferred for the role:

• BTech/B.E. in CSE/IT/CSA/ECE
• MCA/ MTech/MS in CSE/IT/CSA/Electronics
• Any of the security certifications such as CEH, CHFI, ECSA, OSCP, GPEN, CISSP/CISM/CISA

Technical Skills that are Key to this role:

• Strong background in Network/Infrastructure Vulnerability Assessment and Penetration Testing
• Good understanding of security vulnerabilities, OWASP Top 10 vulnerabilities, Enterprise security architecture, standards, relevant best practices and frameworks
• Extensive expertise in Web, API, Android Mobile Apps, and AWS/Azure Cloud Security,
• Experience with software penetration testing, architectural risk assessment, threat modeling, static code analysis and secure code review on WEB, API and Android mobile applications
• Web Application Penetration Testing: Strong experience in assessing web applications for security vulnerabilities using tools such as Burp Suite, OWASP ZAP, or similar.
• Mobile Application Penetration Testing: Proficiency in evaluating the security of mobile applications on Android platforms, including reverse engineering and code analysis.
• Cloud Security: In-depth knowledge of cloud security best practices, including experience with AWS/ Azure Cloud Platform, and the ability to configure security controls and monitor for cloud-based threats, with experience in AWS/Azure cloud security assessments.
• API Security: Expertise in assessing the security of APIs, including authentication, authorization, and data protection.
• Web Application and Mobile Apps security assessment in accordance with the OWASP standards.
• Vulnerability Assessment includes analysis of bugs in various applications on various domains by using both manual and Automation tools.
• Familiarity with security in DevOps and continuous integration/continuous deployment (CI/CD) pipelines.
• Experience of working on Windows and Linux with Good understanding of operating system internals (Windows, Linux and Mobile OS (Android) and app development (especially mobile)
• Should be familiar with common compliance requirements like GDPR, PCI-DSS, ISO 27001
• Experience with mobile Open Web Application Security Project (OWASP) standards and testing checklist.
• Should be able to configure automated scanners (such as Login sequence, manually exploring critical flaws, Policy customization, scan throttling, etc) to perform successful scans.
• Assessment of scanner results and intelligently identifying false positives from the scan results.
• Flaws like, Authentication (session management) testing, CSRF, business logic testing which are not detected by an automated scanner must be identified using manual testing.
• Understanding of the workflow of the application and identifying the entry points to detect possible vulnerabilities.Hands-on experience with popular security tools NMAP, Nessus, Burp Suite, Nessus, Netsparker, Metasploit, OWASP ZAP.
• Familiar with Agile process and development tools (Jira, Confluence, Bitbucket, Git, Maven, Jenkins, etc