Security Analyst- SCA & SAST

Role & responsibilities

The Senior Security Analyst (IC2) will be responsible for strengthening application security across the organisation by implementing secure development practices, performing vulnerability assessments, and driving DevSecOps initiatives. This role requires hands-on expertise in Static Application Security Testing (SAST), Software Composition Analysis (SCA), and a strong understanding of Application Security (AppSec) and DevSecOps principles.

Key Responsibilities:

• Application Security Testing :

Perform SAST and SCA scans for web, API, and mobile applications.

Analyse scan results, prioritise vulnerabilities, and collaborate with development teams for remediation.

• DevSecOps Integration

Embed security controls into CI/CD pipelines and automate security checks.

Drive adoption of secure coding practices and threat modelling across development teams.

• Risk Management

Conduct security reviews and validate secure architecture designs.

Maintain compliance with industry standards (OWASP, NIST, ISO 27001).

• Tool Management

Manage and optimise security tools such as HP Fortify, Checkmarx, Veracode, Burp Suite, and container security platforms.

Reduce false positives and improve scan efficiency.

• Collaboration & Training

Partner with architects, DevOps, and product teams to integrate security early in the SDLC.

Deliver training sessions on secure coding and tool usage.

• Continuous Improvement

Monitor emerging threats and recommend improvements to security processes.

Participate in POCs for new security tools and automation initiatives.

Preferred candidate profile

Experience & Qualification:

• 3-6 years of relevant experience
• B.E/B. Tech or masters degree from a reputed institute with good academics history.

MUST HAVE

• Technical Expertise

• Strong knowledge of SAST and SCA methodologies.
• Hands-on experience with tools like Fortify, Mend, Checkmarx, Veracode, SonarQube, GHAS.

• Programming Knowledge

• Proficiency in Java, .NET, Python, or JavaScript.

• Certifications

  (Preferred)
• CEH, CSSLP, GWAPT, or similar.

• Experience

• 3–6 years in application security.

Skills required:

• SCA Management

• Perform dependency scanning to identify vulnerable open-source components.
• Use tools like Mend & GHAS for SCA.
• Ensure compliance with licensing and vulnerability management policies.

• SAST Implementation

• Configure and run SAST tools (e.g., Fortify, Checkmarx, Veracode, SonarQube).
• Integrate SAST into CI/CD pipelines for automated code scanning.
• Analyze scan results, prioritize vulnerabilities, and guide remediation.

• Secure Development Lifecycle

• Collaborate with developers to enforce secure coding standards.
• Conduct code reviews and threat modeling sessions.

• Governance & Compliance

• Align with OWASP Top 10, NIST, and ISO 27001 standards.
• Support audits and generate compliance reports.

• Training & Awareness

• Conduct developer training on secure coding and vulnerability remediation.