Job
Description
About the Team At Meesho, the Product Security team is at the forefront of protecting our platform and the 5% of Indian households who shop with us daily. We are a team of proactive builders and defenders who thrive on collaboration and a Founders Mindset. We believe in moving fast, learning from every challenge, and supporting each others growth through open communication and mentorship. We work hard to secure the massive scale of Meeshos e-commerce platform, and we have fun doing it. If youre a self-starter who enjoys solving complex problems and wants to make a real-world impact, youll fit right in. About the Role As a Security Engineer 2, you will be a key player in maturing our product security posture. You wont just find vulnerabilities; youll help us build more secure products from the ground up. Your work will directly protect our customers and the business by focusing on offensive security testing, proactive threat modeling, and embedding security into our development lifecycle and company culture. What you will do Application Security Testing: Conduct comprehensive security assessments (VAPT) of our web platforms, APIs, network and mobile applications (iOS & Android) to identify and mitigate vulnerabilities. Offensive Security: Plan and execute red team and purple team exercises to simulate real-world attacks, test our defenses, and provide actionable recommendations to improve our security posture. Threat Modeling: Lead threat modeling sessions for new and existing features, collaborating with engineering teams to identify potential threats in the design phase and integrate security requirements into the product lifecycle. DevSecOps & Automation: Enhance our CI/CD pipeline by integrating security tools (SAST, DAST, IAST). Develop and implement hands-on security automation to streamline security processes and improve our detection and response capabilities. Security Culture & Awareness: Drive key security culture initiatives, including managing the Security Champions program, conducting phishing simulations, and delivering developer awareness training sessions. Risk & Compliance: Contribute to compliance and risk management efforts, such as ISO 27001 readiness, third-party risk management (TPRM), and Business Continuity/Business Impact Analysis (BCP/BIA). Security Partnership: Act as a security subject matter expert for developers, providing guidance on secure coding practices, vulnerability remediation, and security best practices through code reviews and consultations. Code Review: Perform manual and automated code reviews to identify security-critical bugs. Bug Bounty: Assist in managing our bug bounty program, including triaging submissions and engaging with security researchers. What You Will Need Experience: 3-5 years of hands-on experience in a product security or application security role. Education: A Bachelors or Masters degree in Computer Science, Information Security, or a related field is preferred. Mobile Security Expertise: Strong experience in mobile application security assessments for both Android and iOS.Proficiency with mobile security tools like Frida, Objection, Drozer, MobSF, ADB, etc.Deep understanding of the OWASP MASVS framework and mobile-specific vulnerabilities (insecure webview, insecure deeplink, insecure data storage, flawed cryptography, etc.). Web & API Security Expertise: Proven ability to perform security assessments on web applications and APIs, with a strong understanding of the OWASP Top 10 for both. Experience testing for complex vulnerabilities in authentication, authorization, session management, and business logic. Offensive Security & Threat Modeling: Demonstrated experience planning and executing red team exercises . Proven ability to lead threat modeling sessions and integrate findings into the SDLC. General Skills & Acumen: Strong analytical and problem-solving skills.Excellent communication skills, with the ability to explain complex security issues to both technical and non-technical audiences. Familiarity with DevSecOps principles and CI/CD pipeline security automation. (Bonus Points) Active participation in public or private bug bounty programs is a huge plus. Experience with security awareness initiatives (e.g., Security Champions) and compliance frameworks (e.g., ISO 27001, TPRM) is also highly desirable.
