As a Security Engineer, your primary focus will be on securing code before it reaches production and ensuring that vulnerabilities are identified and addressed early in the development lifecycle. You will play a key role in code scanning and vulnerability assessment, ensuring that all code entering production is secure, compliant, and free from vulnerabilities.
Your responsibilities will include integrating security practices into the CI/CD pipeline to automate security checks and vulnerabilities remediation. By embedding security throughout the Secure Software Development Life Cycle (SSDLC), you will work closely with development, DevOps, and security teams to ensure a proactive approach to security, preventing vulnerabilities from making it to production.
Roles and Responsibilities:
Code Review& Vulnerability Assessment:
Code Review & Vulnerability Assessment: Conduct manualand automated code reviews to identify security vulnerabilities, focusing onOWASP Top 10, CWE Top 25, and business logic flaws.
Integrate security controls across all stages ofthe Secure SDLC, from development to deployment. Work with developers to ensurevulnerabilities are caught before code is pushed to production by integratingsecurity checks into the CI/CD pipeline.
Conduct regular security reviews, threat modelling,and risk assessments for applications and infrastructure.
Ensure timely patching, vulnerability mitigation,and compliance with internal security policies.
Work closely with development teams to promotesecure coding practices and perform Security Code Reviews (SCR).
Contribute to continuous improvement of DevSecOpspipelines, documentation, and security automation.
Track vulnerabilities identified through securitytools and ensured that they are promptly prioritized and remediated.
Security Automation &Tool Integration:
Security Tool Integration: familiaritywith a range of security tools is required knowledge of CNAPP Orca, Prismacloud etc. Or any other on-premises scanning tools applicable.
Automate and maintain security scanning pipelinesusing tools like SonarQube, OWASP ZAP, Burp Suite Enterprise, Snyk, Trivy, or Checkmarks.
Automate security scans within the build anddeployment pipeline (e.g., using Jenkins, GitLab CI, GitHub Actions).
Ensure proper data encryption in transit and atrest and validate key/certificate rotation practices.
Collaboration &Culture Building:
Collaborate with developers, DevOps, and securityteams to integrate security into the development process.
Collaborate with DevOps and infrastructure teamsto ensure runtime hardening, log integrity, and secure configuration baselinesin on-premises deployments.
Provide support and mentoring to junior teammembers on secure coding practices and the use of security tools.
Security Standards &Compliance: Ensure code complies with relevant regulatory and securitystandards such as PCI-DSS, ISO 27001, and internal security policies. Act asfirst technical responder for product-related incidents; perform root-causeanalysis and coordinate patch release within defined SLAs.
Incident Response &Remediation: Participate in incident response activities and collaboratewith teams to remediate identified vulnerabilities.
RequirementsDesired Candidate profile:
- Bachelors degree in computer science, Information Security, or a related field.
- 34 years of hands-oncoding (to fix or co-fix vulnerabilities) experience in Application Security,code review, security architecture. Experience in DevSecOps will be addedadvantage
- Strong knowledge of Secure SDLC methodologies and security automation.
- Experience integrating SAST, DAST, and SCA tools within CI/CD pipelines.
- Good understanding of VAPT processes and coordination with pen testing teams
- Understanding of programming language(java will be good)
- Proficiency in scriptinglanguages (Python, Bash, or PowerShell).
- Understanding of OWASP Top 10, CWE, and common vulnerability management frameworks.
- Industry standards and frameworks such as OWASP, NIST, and SANS.
- Strong communication and interpersonal skills to collaborate with cross-functional teams and stakeholders.
- Experience with cloud platforms like AWS, Azure, or GCP and understanding of cloud security best practices (e.g., Kubernetes security, IAM management in AWS/GCP/Azure, etc).
- Experience in a regulated domain (finance, healthcare, e-commerce, etc.).
- Hands-on reverse engineering / vulnerability research / exploit development experience.
- Experience with runtime application security (RASP, WAF integrations, runtime instrumentation).
- Familiarity with security in containerized / serverless / microservices / Kubernetes environments.
