Product Security Lead (Secure SDLC & VAPT)

Location:

Function:

Experience:

We’re looking for an Product Security Lead to embed security into our SDLC and own end-to-end VAPT remediation across our lending product suite (LOS/LMS, rules engine, analytics). You’ll partner with engineering and platform teams to design, build, and operate secure-by-default products used by leading financial institutions.

• Own the Secure SDLC

  for microservices (Java/Spring Boot), Node/TypeScript backends, Angular UIs, and Android/Flutter apps—policy, standards, and release gates.

• Build and run CI/CD security controls:

  SAST, SCA/SBOM, secrets & IaC checks, container/image scanning; automate DAST/IAST in pipelines; enforce block-on-fail where needed.

• Drive VAPT end-to-end:

  scope with internal/third-party testers, triage findings, set SLAs, track remediation to closure; verify fixes and prevent regressions.

• Threat model & review designs/code

  for authN/Z, crypto, session management, API security, data protection/PII, and high-risk modules (payments, onboarding, documents).

• Cloud & platform security (AWS):

  baselines for EC2/ALB, RDS/KMS, S3 policies, network segmentation, mTLS/JWT service auth, Vault-backed secrets, and key rotation.

• Observability & governance:

  wire security logs to SIEM, define AppSec KPIs (MTTR, SLA adherence, gate coverage), and report risk posture to engineering leadership.

• Upskill teams:

  run secure coding workshops, build a “security champions” program, create playbooks/runbooks for common vulns and abuse cases.

• 7–12 years in

  Application/Product Security

  , including leading Secure SDLC and VAPT remediation in a product engineering environment.
• Hands-on with

  SAST/SCA/DAST/IAST

  , code reviews, and threat modeling (e.g., STRIDE); ability to read code in

  Java/Spring

  ,

  Node/TypeScript

  , and

  Angular

  .
• Prior experience in integrating security checks and gating critera with CI platform like SonarQube
• Strong grasp of

  OWASP Top 10, API Security Top 10, ASVS, CWE

  , secrets management, and CI/CD hardening.

• AWS security

  experience: IAM, KMS, RDS encryption, SG/WAF, CloudTrail/GuardDuty; familiarity with Docker/Kubernetes and

  IaC

  (Terraform/CloudFormation).
• Experience running vendor/3rd-party

  VAPT

  cycles and landing fixes to SLA with engineering teams.
• Awareness of compliance contexts (ISO 27001/SOC 2, RBI guidance,

  DPDP Act

  ) and secure handling of PII/financial data.
• Nice to have: mobile app security (OWASP MASVS), OAuth2/OIDC, mTLS, WebAuthn/modern auth patterns; Kafka, Redis, NGINX, Consul, Vault.
• Certifications (optional, a plus):

  OSWE/OSCP

  ,

  GWAPT/GWEB

  ,

  CSSLP

  .

• ≥

  95%

  of Critical/High findings closed

  within SLA

  across services.
• All repos behind

  security gates

  with SBOMs published;

  zero hard-coded secrets

  ; baseline threat models for top services.
• Repeatable VAPT → remediation → verification loop with dashboards visible to leadership.

• Build security for

  mission-critical fintech products

  at scale.
• High ownership, direct impact, and the chance to set the bar for product security across our stack.
• Collaborative culture with strong engineering, rapid delivery, and growth opportunities.