Job Description Security Tester
Document Classification Restricted
Job title Security Tester- Bangalore
Reports to Portfolio Manager
Job Purpose
- To test, re-test (as needed) and validate Countermeasures implemented by the Development
and DevOps team in response to identified Threats / Vulnerabilities and confirm that
remediation efforts are effective, complete, and secure.
- To confirm that the application meets defined security standards post-remediation activities
without impacting the compliance expectations.
Duties and Responsibilities
- Testing and confirming the implemented Remediation measures
- Run the steps to exploit identified/known Threats / Vulnerabilities and validate that
they have been properly fixed. Verify and confirm that the issue is no longer exploitable
by executing various scenarios including original and edge-case scenarios
- Evaluate the correctness and completeness of implemented security controls such as:
- Input validation
- Authentication & session handling
- Access control logic (RBAC, ABAC)
- Output encoding/sanitization
- Secure configuration (headers, SSL/TLS settings)
- Regression and Impact analysis - Ensure that the remediation measures do not break other
security features or introduce new vulnerabilities. Perform regression testing on the related
functionality.
Tests to be conducted based on threat models, business criticality, and data sensitivity.
Focus on high-risk areas like authentication, PHI dataflows, admin functionalities, etc.
- Test Reports submission and Documentation
- Document test results
- Maintain Countermeasures, Threats / Vulnerabilities tracker updates and evidence
- g., screenshots, logs, PoCs)
- Provide improvement feedback where countermeasures could be more robust.
- Collaboration
Work closely with DevOps Team, Design and Development team, Security team, and QA
team to conduct the tests and verification activities
Where applicable, share technical feedback to help developers implement more secure
solutions
Job Description Security Tester
Authorities
- Authorized to conduct security Countermeasures validation.
- Authorized to make recommendations for remediation actions based on test results.
- Authorized to engage with internal DevOps / Development / Security / QA teams to discuss
findings and recommendations.
Qualifications
- security, or a related field.
- Experience in SAST tools such as Iriusrisk, Black Duck, Coverity, and SonarQube
- 3-4
Google Cloud Platform (GCP)
- Good understanding of Azure Cloud IaaS and PaaS Service, CIS benchmarks
- Experience with assessment, development, implementation, optimization, and
documentation of a comprehensive and broad set of security technologies and processes
(secure software development (Application Security), data protection, cryptography, key
management, Identity and Access Management (IAM), network security) within SaaS, IaaS,
PaaS, and other cloud environments
- Experience with enterprise applications (architecture, development, support, and
troubleshooting)
- Experience and exposure to threat modeling and design reviews to assess security
implications and requirements for introduction of new technologies
- Relevant security certifications such as CISSP, CISM, or CEH are a plus.
- Good to have Microsoft Certified: Azure Security Engineer Associate, Microsoft Certified:
Cybersecurity Architect Expert
Other Attributes
- Experience in application security testing, QA security validation, or vulnerability
management.
- Solid understanding of web application security, Azure, Secure SDLC, and Threat Modeling
concepts and Industry leading tools.
- Familiarity with SAST, DAST concepts and tooling.
- Experience with vulnerability tracking tools (e.g., Jira, ADO etc.).
- Basic knowledge of code and scripting (e.g., Python, JavaScript, Bash) is a plus.
- Strong documentation, communication, and analytical skills.
- Exposure to DevSecOps environments and pipelines.
- Familiarity with cloud security testing (AWS, Azure, GCP).
- Understanding of REST API security testing
- Familiarity with tools like Burp Suite, OWASP ZAP, Swagger, Nmap, etc.
