Required Skills & Qualifications
Authentication & Authorization Expertise:
- 8+ years of experience in application security with focus on authentication and authorization
- Deep understanding of authentication mechanisms (username/password, MFA, biometric, SSO)
- Expert knowledge of authentication protocols (OAuth 2.0, OpenID Connect, SAML, JWT)
- Strong expertise in authorization patterns (RBAC, ABAC, ReBAC, PBAC)
- Understanding of federation and identity management concepts
- Knowledge of password less authentication approaches
Session Management Expertise
- In-depth knowledge of session management best practices
- Understanding of session storage mechanisms (server-side, client-side, distributed)
- Knowledge of session security controls (timeouts, rotation, invalidation)
- Expertise in identifying session-related vulnerabilities (fixation, hijacking, prediction)
- Understanding of token-based session management
- Knowledge of cookie security attributes and configurations
Data Flow Security
- Ability to analyze application data flow diagrams
- Understanding of data classification and sensitive data handling
- Knowledge of data protection mechanisms (encryption in transit and at rest)
- Expertise in identifying data exposure risks in application flows
- Understanding of input validation and output encoding requirements
- Knowledge of secure data transmission patterns
Technical Knowledge
- Strong understanding of web application architectures
- Knowledge of API security patterns (REST, GraphQL)
- Understanding of mobile application authentication flows
- Familiarity with microservices authentication and authorization
- Basic knowledge of cryptography and secure token generation
- Understanding of common authentication vulnerabilities (OWASP Top 10)
Threat Modeling
- Experience with threat modeling methodologies (STRIDE preferred)
- Ability to identify authentication and authorization threats
- Knowledge of attack patterns for broken authentication and access control
- Understanding of OWASP ASVS Chapter 2 (Authentication) and Chapter 4 (Access Control)
Preferred Qualifications
- Security certifications focused on application security
- Experience with identity and access management (IAM) solutions
- Knowledge of standards like NIST 800-63 (Digital Identity Guidelines)
- Understanding of privacy requirements related to authentication
- Experience with single sign-on (SSO) implementations
- Familiarity with zero-trust authentication principles
Educational Qualifications
- Bachelor's or Master's degree in Computer Science, Information Security, or related field
- Equivalent work experience will be considered
Key Competencies
- Deep analytical skills for reviewing authentication and authorization flows
- Strong understanding of session security principles
- Ability to trace and validate data flows
- Excellent communication skills to explain security findings
- Collaborative approach with development teams
- Detail-oriented with focus on access control logic
- Problem-solving mindset for authentication design challenges
Scope Limitations
This role specifically focuses on:
- Authentication mechanisms and flows
- Authorization and access control designs
- Session management configurations
- Application data flow security
OWASP Top 10 , Information Security, Threat Modeling, Web Application Architecture, Mobile Application Security
Key Responsibilities
Application Security Design Review:
- Conduct security design reviews focused on authentication and authorization mechanisms
- Analyze session management architecture and identify security weaknesses
- Review data flow diagrams to ensure secure handling of sensitive data
- Evaluate application design documents for security gaps in auth flows
- Assess login flows, user registration, password management, and account recovery designs
- Review API authentication and authorization designs
- Analyze token management and JWT implementation approaches
Threat Modeling (Focused Scope)
- Lead threat modeling sessions specifically for authentication and authorization flows
- Identify threats related to session hijacking, session fixation, and session management
- Analyze data exposure risks in application data flows
- Assess privilege escalation risks in authorization designs
- Document attack scenarios for authentication bypass and broken access control
Security Requirements Definition
- Define security requirements for authentication mechanisms
- Specify authorization controls and access control requirements
- Establish session management security requirements
- Document data protection requirements for sensitive data flows
- Ensure compliance with OWASP ASVS requirements for authentication and session management
Collaboration & Guidance
- Work with development teams to review authentication and authorization designs
- Provide guidance on secure session management patterns
- Advise on secure data flow implementation approaches
- Review and validate remediation approaches for identified design flaws
- Facilitate design review sessions with architects and developers
Documentation & Reporting
- Create security design review reports with findings and recommendations
- Document threat models for authentication and authorization flows
- Track and verify closure of identified design issues
- Maintain secure design patterns for authentication, authorization, and session management
