Manager/Senior Manager - Platform Security Specialist

About GeM

Government eMarketplace is a unified digital platform that facilitates end-to-end procurement of goods and services by various government departments, organizations, and public sector undertakings (PSUs). Our Honourable Prime Minister's concerted efforts to harness the power of digital platforms to achieve Minimum Government, Maximum Governance led to the genesis of GeM in 2016.

GeM provides a paperless, cashless and contactless ecosystem for government buyers to directly purchase products and services from pan-India sellers and serviceproviders through an online platform. GeM covers the entire gamut of procurement process, right from vendor registration and item selection by buyers to receipt of goods and facilitation of timely payments. GeM has envisioned to utilise the agility and speed that come along with a digital platformcreated with a strategic intentto reinvigorate publicprocurement systems and bring about a lasting change for the underserved as well as the nation.

Built on the pillars of Efficiency, Transparency and Inclusivity, GeM has emerged as a digital tool in nation's interest, aimed at catalyzing excellence in public procurement. To know more about us, please visit- https://gem.gov.in/

You may also followus on- :

Twitter LinkedIn Koo App YouTube Facebook

What is it like to work at GeM

• Opportunity to work with a team of highlypassionate professionals from Private and Government sector
• Unbounded space for creativity and innovation.
• Agile and collaborative work environment
• Highly transparent and open work culture
• Work- Life balance
• Various kinds of healthcovers (Insurance) for individual and family.
• A great opportunity to learn and hone your skills.

Compensation: GeM offers competitive salary and other additional benefits .

Type of employment: This is a contractual role under Project Management Unit (PMU) of GeM.

Location: This position is based in Delhi.

Role Overview

We are seeking a Platform Security specialist with hands-on expertise in offensive testing, client-side exploitation, and architectural hardening to uncover and remediate vulnerabilities in GeM and new portal, which is currently under development.

This role will lead structured diagnostic assessmentsincluding session management, context token validation, API replay protection, cross-window/browser exploitation, and fraud detectionwhile also executing real-world ethical hacking simulations to expose weaknesses before adversaries do.

You will design and enforce zero-trust clientserver models, implement tamper-evident protocols, and ensure that critical business logic remains secure in our micro-frontend and microservices architecture.

Key Responsibilities

1. Offensive Security & Ethical Hacking

• Perform full-spectrum penetration testing (frontend, backend, APIs) targeting:
• React micro frontends and React Native mobile apps
• Java Spring Boot and Ruby on Rails backend services
• Integration points (API gateways, service orchestrations)
• Simulate client-side tampering via:
• Browser developer tools (DOM manipulation, JS injection)
• Network request interception/replay
• Cross-tab/window state manipulation
• Conduct diagnostic assessments as per security questionnaire:
• Session & Search Management
• Audit search session ID generation and isolation
• Test multiple-tab/multiple-window handling
• Verify that L1 (lowest price) determinations are server-authoritative
• Assess persistence and cryptographic signing of search results
• Purchase Token & Validation System
• Analyze purchase API payloads for session binding & tokenization
• Verify token one-time use & binding to search sessions
• Detect cross-search purchase vulnerabilities
• Cross-Window & Browser Security
• Evaluate browser fingerprinting & cross-window manipulation detection
• Test developer tools / DOM tamper detection capabilities
• API Security & Replay Protection
• Test request idempotency & replay attack resilience
• Audit depth of server-side validation beyond authentication
• Check requestresponse integrity & response signing mechanisms
• Fraud Detection & Monitoring
• Assess anomaly detection coverage & event correlation
• Verify completeness of audit trails for forensic reconstruction
• Architecture-Level Security
• Map trust boundaries between client and server
• Identify risks from client-side state manipulation

2. Defensive Architecture & Hardening

• Architect context-token and payload-signing systems to bind requests to sessions, actions, and parameters.
• Define and enforce content security policy(CSP), Trusted Types, Sub-resource Integrity (SRI) for all frontend assets.
• Implement replay prevention mechanisms, idempotency keys, and anti-fraud telemetry.
• Harden state management to ensure critical decisions and calculations are backend-only.

3. Monitoring & Detection

• Develop client-side security monitoring:
• DOM mutation detection
• Service Workerbased egress guard
• CSP/SRI violation reporting
• Integrate client telemetry with backend SIEM for real-time detection of tampering and fraud.
• Establish continuous security regression testing pipelines in CI/CD.

4. Business Logic & Procurement Security

Identify and test for business rule bypasses that may allow manipulation of procurement workflows (e.g., bid extension, cancellation, or L1 price leakage).

Identify and assess workflows for bid manipulation risks, including collusion, proxy bidding, and last-minute sniping strategies.

Ensure that business-critical workflows are tamper-proof, auditable, and enforce compliance with government procurement norms.

Educational Qualification

Essential: B. Tech in computer science/IT/Software Engineering from a reputed institute/ University

Required Skills & Experience

• 8+ years in application security, penetration testing, or security architecture
• Mastery of web and API exploitation techniques (cross-site scripting (XSS), cross-site request forgery (CSRF), replay attacks, logic flaws).
• Hands-on with security testing tools: Burp Suite, OWASP ZAP, Postman scripting, custom fuzzers.

Desired Skills & Experience

• Proven ability to design token-based authorization, session isolation, and state synchronization security.
• Strong knowledge of Java Spring Boot and Ruby on Rails security practices.
• Experience with browser security models (CSP, Trusted Types, SRI, sandboxing).
• Familiarity with fraud detection systems and audit logging best practices.
• Certifications: OSCP, OSWE, CEH, GWAPT, or similar.

Preferred Domain Experience:

• E-Procurement/Financial Systems Security (Preferred)

- Experience with e-procurement fraud patterns preferred

- Understanding of government procurement compliance requirements

- Knowledge of bid manipulation and price manipulation attack vectors

Preferred Qualifications

• Background in securing micro frontend / microservice architectures.
• Experience with workflow orchestrations (Camunda 8, IBM BAMOE 9.1).
• Familiarity with threat modeling and MITRE ATT&CK for Web.

Success Metrics

• Identified & remediated vulnerabilities in all diagnostic questionnaire categories.
• Zero critical security findings in post-release penetration tests.
• Increased detection rate of client-side and API tampering attempts.
• Measurable improvement in fraud prevention and audit trail completeness.

GeM selection committeereserves the rightto relax or extend the eligibility criteriaand educational qualifications.

In case the numbers of applications receivedare very high, GeM reservesthe right to shortlist candidates and invite only shortlisted candidates for interview round.

The crucial date for determining eligibility will be the last date of receiptof applications. No applications shallbe entertained under any circumstances after the stipulated date. Incomplete applications shall be rejected.

GeM reserves the right to shortlist candidates for interview. Applicants shouldnote that mere fulfillment of minimum eligibility criteria may not ensure consideration for short listing for interview. GeM will not entertain any correspondence on this subject and decisions of GeM will be final in all matter.