Security Engineer

Role -Application Security Engineer

Experience - 4-7 yrs

Location - Bangalore

Key Responsibilities

Internal VAPT & Security Testing

Execute internal VAPT on web applications, APIs, and React Native mobile applications, focusing on real-world attack paths.

Perform authenticated and authorization-focused testing, including BOLA/IDOR, broken access control, and session abuse.

Validate scanner results and provide reproducible evidence such as PoCs, request/response traces, and impact narratives. DAST Program Support

Improve DAST scanning reliability and signal quality by managing scope definition, scan profiles, and false positives.

Produce verified, developer-actionable outputs for the monthly DAST cadence.

Maintain stable test credentials and safe scanning practices for Tier-0/Tier-1 applications in coordination with the DAST owner.

Secure SDLC & DevSecOps Enablement

Support security checks integrated into GitHub Actions, including secrets scanning and

dependency hygiene.

Provide practical remediation guidance and secure coding recommendations for

Node/React/Next and API services.

Develop reusable developer guidance, such as secure patterns and verification scripts,

to reduce vulnerability recurrence.

Triage, Verification & Mobile Security

Triage findings from SAST, SCA, and DAST sources to ensure high-confidence issues reach engineering.

Verify fixes and ensure closure quality for high-risk issues.

Perform mobile security testing, including API endpoint discovery, secure storage assessments, and deep link validation.

External VAPT & Bug Bounty Support

Prepare scope, test accounts, and validation assistance for external VAPT execution.

Assist in retest verification for external findings.

Support bug bounty readiness through triage playbooks and severity assessment

guidance.

Qualifications & Experience

Education: Bachelor's degree in Computer Science, Cybersecurity, Information Security,

or equivalent practical experience.

Experience: 3–5+ years in application security, product security, or penetration testing

with strong hands-on skills.

Technical Testing: Demonstrated experience in web application and API security

testing; mobile security experience is strongly preferred.

Tooling: Proficiency with at least two of the following: Accunetix, Burp Suite, OWASP

ZAP, SonarQube (or other SAST tools), dependency scanning, or secrets scanning

tools.

Technical Knowledge & Skills

Deep understanding of OWASP Top 10 and API security risks (BOLA/IDOR, mass

assignment, rate-limit abuse).

Strong grasp of authentication and authorization models, including JWT, OIDC, and

session handling.

Working knowledge of DevSecOps practices and embedding security testing into CI

workflows (GitHub Actions).

Ability to build reproducible proofs and utilize scripting (Python/Node) for light

automation.

Familiarity with Cloudflare WAF/API Shield and API gateway architectures (Kong/AWS

API Gateway) is a plus.