What You'll Do
- Conduct VAPT (Vulnerability Assessment & Penetration Testing) across web applications, mobile apps, and APIs — end-to-end, with clear findings and actionable recommendations.
- Perform secure code reviews across Go, Python, Java, and Node.js codebases to identify security issues before they reach production — not just relying on scanners.
- Integrate and tune SAST, DAST, dependency scanning, and other security tooling into CI/CD pipelines to automate vulnerability detection at scale.
- Identify and remediate cloud security misconfigurations — particularly in AWS — covering IAM policies, networking, storage, and service configurations.
- Build and improve security automation, signal aggregation pipelines, and internal tooling that reduce manual toil for the security team.
- Respond to security incidents: triage, investigate, contain, and help build resilience to prevent recurrence.
- Partner with engineering teams to embed security into product development workflows — be a resource, not a gatekeeper.
- Stay ahead of emerging threats, vulnerability disclosures, and attack techniques relevant to company's stack and operating environment.
Core Skills
- Hands-on experience with VAPT — web, mobile, and API security — with the ability to go beyond tooling and think like an attacker.
- Ability to read and review code in one or more of: Golang, Python, Java, Node.js — finding security issues through manual review, not just automated scans.
- Solid understanding of cloud security fundamentals, especially AWS: IAM, VPC, S3, security groups, and common misconfigurations.
- Familiarity with application security concepts: OWASP Top 10, authentication/authorization flaws, injection vulnerabilities, insecure deserialization, etc.
- Experience with CI/CD pipelines and integrating security tooling (SAST, DAST, SCA) into developer workflows.
- 3–5 years of experience in a security engineering, AppSec, or product security role at a product-first company.
- B.Tech / M.Tech in Computer Science or equivalent.
How You Work
- You are curious and proactive — you dig into problems, not wait for them to escalate.
- You balance security best practices with real-world product and business constraints — you understand what good enough for now means without losing sight of the right direction.
- You communicate clearly with engineers and non-engineers alike — you can explain a SQL injection in a pull request comment or in a leadership review.
BONUS POINTS
- Participation in CTFs (Capture the Flag), bug bounty programs, or published security research.
- Experience with container security or Kubernetes environments.
- Exposure to threat modeling, security design reviews, or red-teaming exercises.
- Familiarity with mobile security (iOS/Android) in addition to web/API.
Skills: vapt,appsec / application security,secure code review,aws,owasp,bug bounty
