How You'll Contribute
As a Consultant Product Security, you will guide the organization in designing and implementing secure software development practices by collaborating with development, DevOps, and operations teams to embed security throughout every phase of the software development lifecycle (SDLC).
Your responsibilities will include advising on application security scans, developing tool run books, and driving automation initiatives to enhance DevSecOps programs. You will also recommend best practices and process improvements to improve the efficiency of the overall security program.
Serving as a security subject matter expert, you will mentor junior engineers and provide expert guidance in the product security program by performing comprehensive security reviews and coordinating external penetration test activities, including threat modeling and application security validation.
The ideal candidate will have extensive experience consulting with software development teams, deep knowledge of security-by-design and privacy-by-design principles, and familiarity with industry standards such as NIST CSF, SSDF, and OWASP. You will also evaluate and recommend security tools and platforms based on detailed assessments of control gaps and organizational needs.. Your responsibilities include:
- Define and enforce secure coding standards and best practices.
- Hands on experience to perform Threat Modeling and source code analysis across various development languages (preferably in .NET and JAVA)
- Design and implement secure CI/CD pipelines with integrated security controls.
- Automate security testing (SAST, DAST, IAST, SCA, container scanning) in the SDLC process.
- Evaluate and integrate security tools and platforms
- Lead DevSecOps program in collaboration with DevOps, Operations and Engineering teams
- Build automation focused on efficiency (E.g. increase triaging efficiency, manage false positives etc.)
- Leverage ASPM and build workflows and reports
- Evaluate and integrate security tools and platforms
- Implement Infrastructure as Code (IaC) security and cloud-native security controls.
- Monitor and respond to security incidents in development and production environments.
- Collaborate with development teams to remediate vulnerabilities and design secure applications.
- Develop and deliver secure coding training and awareness programs.
- Stay current with emerging threats, vulnerabilities, and security technologies.
- Ensure compliance with industry standards (e.g., OWASP, NIST etc).
What You'll Need to Bring
- Overall, 8 -15 years of experience in application security, software development, or related roles.
- 6+ years of work experience in Application security, preferably in a fintech or financial services domain
- Strong understanding of web, mobile, API and cloud applications & its architectures.
- Experience of code reviewing or code contributing to Java, Java Script, .Net. C#, Python, or IaC scripting.
- Hands-on experiences running SCA, SAST, DAST, IAST, SBOM, ASPM, Apigee, WAF etc., with approaches or optimizations for the tools to efficiently enforce the enterprise S-SDLC policies.
- Deep understanding of DevSecOps practices and experience in CI/CD automation for one of the popular platforms, such as Gitlab, GitHub or Azure DevOps.
- Knowledge of cloud platforms (AWS, Azure) and container orchestration (Kubernetes, Docker).
- Perspective of supporting developer tools as a security professional (E.g. integrating security tools with IDE, PR checks etc.)
- The experiences in building security controls for a system that follows NIST CSF and SSDF frameworks and performing risk-based security reviews that meet the OWASP, SOC2, GDPR requirements.
- Ability to identify and summarize practical operational procedures, write standards or SOPs, and provide security scan reports.
- A good understanding of full stack software development and best practices for developing software (version control, branching, automation, IaC, documentation, testing, etc.)
- Ability to collaborate cross-functionally and communicate effectively with highly technical teams and provide written assessment reports as needed.
Nice-to-Haves
- Certifications such as CSSLP, OSWE, or CEH.
- Exposure to AI security initiatives is an advantage
