Job Summary
As a Consultant Product Security, you will guide the organization in designing and implementing secure software development practices by collaborating with development, DevOps, and operations teams to embed security throughout every phase of the software development lifecycle (SDLC).
Your responsibilities will include advising on application security scans, developing tool run books, and driving automation initiatives to enhance DevSecOps programs. You will also recommend best practices and process improvements to improve the efficiency of the overall security program.
Responsibilities
- Define and enforce secure coding standards and best practices.
- Hands on experience to perform Threat Modeling and source code analysis across various development languages (preferably in .NET and JAVA)
- Design and implement secure CI/CD pipelines with integrated security controls.
- Automate security testing (SAST, DAST, IAST, SCA, container scanning) in the SDLC process.
- Evaluate and integrate security tools and platforms
- Lead DevSecOps program in collaboration with DevOps, Operations and Engineering teams
- Build automation focused on efficiency (E.g. increase triaging efficiency, manage false positives etc.)
- Leverage ASPM and build workflows and reports
- Evaluate and integrate security tools and platforms
- Implement Infrastructure as Code (IaC) security and cloud-native security controls.
- Monitor and respond to security incidents in development and production environments.
- Collaborate with development teams to remediate vulnerabilities and design secure applications.
- Develop and deliver secure coding training and awareness programs.
- Stay current with emerging threats, vulnerabilities, and security technologies.
- Ensure compliance with industry standards (e.g., OWASP, NIST etc).
Requirements
- Overall, 8 -10 years of experience in application security, software development, or related roles.
- 6+ years of work experience in Application security, preferably in a fintech or financial services domain
- Strong understanding of web, mobile, API and cloud applications & its architectures.
- Experience of code reviewing or code contributing to Java, Java Script, .Net. C#, Python, or IaC scripting.
- Hands-on experiences running SCA, SAST, DAST, IAST, SBOM, ASPM, Apigee, WAF etc., with approaches or optimizations for the tools to efficiently enforce the enterprise S-SDLC policies.
- Deep understanding of DevSecOps practices and experience in CI/CD automation for one of the popular platforms, such as Gitlab, GitHub or Azure DevOps.
- Knowledge of cloud platforms (AWS, Azure) and container orchestration (Kubernetes, Docker).
- Perspective of supporting developer tools as a security professional (E.g. integrating security tools with IDE, PR checks etc.)
- The experiences in building security controls for a system that follows NIST CSF and SSDF frameworks and performing risk-based security reviews that meet the OWASP, SOC2, GDPR requirements.
- Ability to identify and summarize practical operational procedures, write standards or SOPs, and provide security scan reports.
- A good understanding of full stack software development and best practices for developing software (version control, branching, automation, IaC, documentation, testing, etc.)
- Ability to collaborate cross-functionally and communicate effectively with highly technical teams and provide written assessment reports as needed.
- Certifications such as CSSLP, OSWE, or CEH.
- Exposure to AI security initiatives is an advantage
