Application Security Engineer

Job Summary: The ideal candidate will have a strong background in application security, including hands-on experience with popular security tools, vulnerability assessment, and penetration testing, as well as a deep understanding of security methodologies like OWASP, SANS, and STRIDE. The ASLC will be responsible for ensuring the security of our mobile and web applications, APIs, and cloud environments, while also collaborating with stakeholders to maintain and enhance our security posture. Key Responsibilities: Security Tools Expertise:

• Perform security assessments using tools such as Nmap, Nessus, Kali Linux, Metasploit, BurpSuite, Netsparker, Fortify/Checkmarx, and SonarQube.
• Utilize threat modeling tools to identify and mitigate potential security threats.

Mobile Application Security:

• Conduct Vulnerability Assessment and Penetration Testing (VAPT) for mobile applications (iOS and Android) following SANS and OWASP Top 10 guidelines.
• Implement and validate security controls specific to mobile applications.

Web Application Security:

• Perform security testing on web applications across Black Box, White Box, and Grey Box methodologies.
• Conduct thorough API security testing, ensuring robust protection against common threats.

Vulnerability Assessment and Management:

• Conduct comprehensive vulnerability assessments and provide detailed mitigation recommendations for identified security weaknesses.
• Track and ensure timely closure of open vulnerabilities and findings.

Security Standards and Best Practices:

• Apply knowledge of OWASP Top 10, SANS 25, and other industry standards to enhance application security.
• Conduct static and dynamic analysis to identify potential security issues.

Cloud and Container Security:

• Ensure the security of cloud environments, particularly in AWS.
• Implement and manage security in Docker, EKS, and Kubernetes environments.

DevSecOps:

• Integrate security practices into the DevSecOps pipeline, utilizing relevant tools and methodologies.
• Automate security processes to enhance efficiency and reduce risk.

Threat Modeling:

• Develop and implement threat models using frameworks like STRIDE to predict and mitigate potential attacks.

Stakeholder Coordination:

• Collaborate with various stakeholders, including developers, IT teams, and management, to ensure alignment on security objectives.
• Build and maintain positive working relationships, facilitating communication and coordination.
• Prepare detailed reports on security assessments, findings, and mitigation strategies.

Track the progress of open findings and ensure effective closure. Qualifications: Education: Bachelor’s degree in Computer Science, Information Security, or a related field. Relevant certifications (e.g., CISSP, CEH, OSCP) are highly desirable. Experience & Knowledge required:

• Hands on experience with popular security tools – Nmap, Nessus, Kali, Metasploit, BurpSuite, Netsparker, Fortify/Checkmarks, SonarQube, Threat modelling tools
• Experience with OWASP Top 10, SANS 25, static/ dynamic analysis, and common security tools
• Experience in AWS, Docker, EKS/Kubernetes security
• Thorough understanding of vulnerability assessment and sharing the mitigation / recommendation for the identified security weakness.
• Knowledge of web Application security testing (Black, white and grey box).
• Knowledge and hands on of API security testing.
• Hands on Knowledge of DevsecOps and related tools and methodology
• Good in reporting and tracking of closure of open application related findings
• Good knowledge of threat modelling and understanding the different attacks as per various models such as STRIDE, etc.
• Co-ordination with stakeholders, build and maintain positive working relationships with them