Security Engineer - Application Security

Job Description

Here's a reframed job description for an Application Security Engineer, keeping your specifications in mind: Security Engineer - Application Security Location: Bengaluru (Hybrid Work Mode) Experience: 6-11 Years We are seeking a highly skilled and experienced Security Engineer specializing in Application Security with 6-11 years of dedicated experience to join our team in Bengaluru . This role offers a hybrid work mode , combining the flexibility of remote work with in-office collaboration. As an Application Security Engineer, you will be instrumental in embedding security throughout our Software Development Lifecycle (SDLC). You will work closely with development teams to identify, remediate, and prevent security vulnerabilities in our applications, ensuring our products are built securely by design and default. Key Responsibilities: Integrate security best practices into the entire Software Development Lifecycle (SDLC), from design and development to deployment and maintenance. Conduct comprehensive threat modeling and security risk assessments for new and existing applications, identifying potential vulnerabilities and recommending appropriate controls. Perform various security testing activities , including Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), Software Composition Analysis (SCA), and manual code reviews. Collaborate directly with development and DevOps teams to provide secure coding guidelines, remediate identified vulnerabilities, and implement automated security checks in CI/CD pipelines. Review application architecture and designs to ensure security principles are integrated from the initial stages. Evaluate, implement, and manage application security tools and technologies to enhance our security posture. Develop and deliver security awareness training and secure coding practices to engineering teams. Stay current with the latest application security threats , vulnerabilities, attack techniques, and remediation strategies. Participate in security incident response activities related to application vulnerabilities as required. Contribute to the continuous improvement of our application security policies, standards, and processes. Required Qualifications: 6-11 years of progressive experience specifically in Application Security, Secure SDLC, or a similar role. Bachelor's degree in Computer Science, Information Security, or a related technical field. Proven experience working in Agile/DevOps environments. Mandatory Skills: Secure SDLC & DevSecOps: Deep understanding and practical experience in embedding security into all phases of the SDLC and integrating security practices into DevOps pipelines. Threat Modeling: Proficiency in applying threat modeling methodologies (e.g., STRIDE, DREAD) to identify and prioritize application security risks. Application Security Testing: Hands-on experience with SAST, DAST, and SCA tools (e.g., SonarQube, Fortify, Checkmarx, Veracode, OWASP ZAP, Burp Suite, Dependency-Check, Snyk). Secure Coding Practices: Strong knowledge of secure coding principles and common vulnerabilities (e.g., OWASP Top 10, SANS Top 25), with the ability to perform manual code reviews across various programming languages (e.g., Java, Python, Node.js, .NET). Web Application Security: Extensive experience with web application security concepts, common attack vectors, and defense mechanisms. Cloud Security: Familiarity with cloud security principles and best practices for applications deployed on cloud platforms (e.g., AWS, Azure, GCP). API Security: Understanding of API security best practices, authentication, and authorization mechanisms. Container Security: Knowledge of containerization (Docker) and orchestration (Kubernetes) security considerations. Vulnerability Management: Experience in vulnerability assessment, prioritization, and remediation tracking. Communication & Collaboration: Excellent written and verbal communication skills, with the ability to effectively communicate complex security issues to technical and non-technical stakeholders.