Role Overview
You will be a senior security engineer within the organization responsible for identifying, triaging, and mitigating complex security vulnerabilities across the entire application suite. This role requires a seasoned specialist who thinks like an attacker to uncover deep-seated logical flaws and proactively safeguard our software ecosystem. You will act as a bridge between development and security, ensuring that everything from core microservices to cutting-edge GenAI implementations is resilient against modern threats.
Key Responsibilities
- Software Supply Chain Security & DevSecOps :
- Lead the implementation of Software Supply Chain Security practices, including Software Bill of Materials (SBOM) management and securing the integrity of third-party dependencies.
- Collaborate with DevOps and Development teams to integrate security best practices and guardrails into the CI/CD pipeline (Jenkins/GitHub Actions).
- Vulnerability Reachability : Reproduce and validate open-source/third-party library vulnerabilities in controlled environments to determine if the vulnerable code path is actually reachable in our product.
- Audit and manage GitHub Security Posture, ensuring robust secret scanning, branch protection, and repository security Advanced Vulnerability Research & Testing :
- Execute sophisticated Web, Mobile (Android/iOS), and API penetration testing.
- Go beyond checklist-based testing to identify complex logical and business flaws across the Nykaa ecosystem.
- Hands-on experience with Product Security Environments in Microservice Architectures.
- Experience with application security tools such as static analysis (SAST), dynamic analysis (DAST), and web application firewalls Security Architecture & Threat Management :
- Experience with conducting Threat Modeling Assessments during the design phase.
- Deep understanding of secure SDLC principles and their application in cloud environments.
- Experience with Securing GenAI-based Applications and understanding the unique threat landscape of LLMs.
- Familiarity with AWS and GCP environments is a strong Documentation & Stakeholder Management :
- Ability to clearly document findings and communicate risk effectively to technical and non-technical stakeholders.
- Support cybersecurity process activities including security requirements definition, code reviews, and cyber risk assessment.
- Mentor developers and junior engineers on secure coding practices in Java, JavaScript, and Skills & Qualifications :
- 8+ Years of Experience : Minimum of 8 years of hands-on experience in Application Security, Penetration Testing, or Product Security.
- Certifications (Preferred) : Highly prefer candidates with hands-on certifications such as OSCP, OSEP, or OSWE.
- Technical Mastery : Expert-level proficiency in Web, Mobile (iOS/Android), and API security testing.
- Supply Chain Knowledge : Familiarity with securing software supply chains and third-party risk management.
- Code Proficiency : Strong ability to read and debug software development languages (e.g., Java, JavaScript, Python).
- Cloud Fluency : Practical knowledge of securing cloud-native applications in AWS or GCP.
(ref:hirist.tech)
