Cyber Security Specialist

Job Title: FOSS Sonatype IQ SME

Location: India (Bengaluru, Hyderabad, Pune)

Department: CSAT- Cybersecurity

Brief overview of the business areas

Global Cybersecurity is responsible for enabling businesses and functions to manage their information, technology and cybersecurity risks by ensuring these are well-understood, and that controls used the manage such events are defined, assessed and implemented appropriately. Cybersecurity delivers this via objective, independent, professional and specialized subject matter experts. The role forms part of the 1LoD in relation to risk management framework.

The Cybersecurity Assessment and Testing (CSAT) function, part of Global Cybersecurity, is accountable for Vulnerability Management, Secure Development, Threat and Controls Assessment (threat modelling) and Third-Party Security Assessment. The function drives the identification, capture, assessment, testing and ultimately the remediation of security defects, gaps and vulnerabilities across HSBC's estate in concert with business and technology teams on premise, within the Cloud and resulting from 3rd party engagements.

What you will be doing;

The FOSS Sonatype IQ Subject Matter Expert (SME) will work as part of a global team to strengthen the overall security posture of Free Open-source Software security in HSBC by maturing and centralizing the FOSS security operating model, significantly improving its service offerings and enhancing its internal processes by executing prioritized initiatives in collaboration with Cybersecurity, CTO and different GB/GF.

This role will report into the FOSS Vulnerability Scanning Oversight Lead, while working closely with Global Head of Secure Development, collaborating with peers across Secure Development function; Vulnerability Management, Chief Technology Office(CTO), Third Party Security Assessment, Cybersecurity Engineering team and Cybersecurity Business Enabler(CBE) leads, enabling effective end-to-end vulnerability identification, Triage and Remediation.

Job Summary

We are seeking a highly skilled and self-driven FOSS Sonatype IQ Subject Matter Expert (SME) to join our Secure Development Cybersecurity team. This role is crucial to strengthening our software supply chain security and ensuring open-source compliance across development teams in Global business and functions. The ideal candidate will possess deep expertise in Sonatype IQ Server along with other OSS scanning tools (like Snyk, Black Duck, Dependency-Track, Crowd Strike), a strong grasp of modern DevSecOps practices, and hands-on experience in establishing FOSS usage policies in enterprise environments.

In this role, you will be responsible for ensuring the secure code adoption, governance, and compliance of open-source software security across the organization. You will work closely with development, security, and technology teams to mitigate risks, enforce policies, and enhance the security posture of open-source software.

Key Responsibilities

Serve as the primary advisor and technical expert for Sonatype Nexus IQ Server and open-source dependency vulnerability scanning.

Implement and maintain Sonatype IQ integrations within CI/CD pipelines to automate security and compliance checks.

Analyze and remediate vulnerabilities, license risks, and policy violations in open-source dependencies.

Develop and enforce software composition analysis (SCA) best practices across development teams.

Collaborate with security teams to prioritize and mitigate OSS vulnerabilities based on risk assessments.

Create and maintain custom policy configurations in Sonatype IQ to align with organizational security standards.

Train and mentor engineering teams on secure OSS usage, dependency management, and DevSecOps best practices.

Work to uplift the vulnerability scanning and remediation capabilities to meet enhanced Service Level Agreements (SLAs), ensuring timely and effective resolution of security vulnerabilities

Monitor and report on FOSS risk metrics, providing actionable insights to leadership.

Stay updated on emerging software supply chain threats and recommend proactive security measures.

Support SBOM interlock and proactively participate in wider SBOM program.

To perform security assessment and identify potential risk with open source LLMs.

Required Skills & Qualifications:

4+ years of hands-on experience with Sonatype Nexus IQ Server in an enterprise environment.

Strong understanding of Software Development Life Cycle (SDLC) with a focus on security.

Strong expertise in open-source Software security, vulnerability management, and license compliance.

Proficiency in DevSecOps practices, including CI/CD integration (Jenkins, GitLab, GitHub Actions, etc.)

Experience with software composition analysis (SCA) tools and dependency management (Maven, npm, pip, etc.)

Knowledge of OWASP Top 10, CVE, and MITRE ATT&CK frameworks related to OSS risks.

Familiarity with container security (Docker, Kubernetes) and SBOM (Software Bill of Materials) generation.

Good to have scripting skills (Bash, Python, Groovy) for automation and tool customization.

Excellent communication skills, with the ability to explain complex security concepts to non-technical stakeholders.

Education & Experience:

7+ years of experience into cybersecurity, Information security or security engineering.

Strong DevSecOps and Software security background.

Desirable to have one or more industry-recognised cybersecurity-related certifications including CISSP, CRISC, CISM, OSCP.

Bachelor or Masters degree in Computer Science, Information Technology, Cybersecurity or equivalent.