Description
Responsibilities
Define and enforce secure coding standards and best practices.
Hands on experience to perform Threat Modeling and source code analysis across various development languages (preferably in .NET and JAVA)
Design and implement secure CI/CD pipelines with integrated security controls.
Automate security testing (SAST, DAST, IAST, SCA, container scanning) in the SDLC process.
Evaluate and integrate security tools and platforms
Lead DevSecOps program in collaboration with DevOps, Operations and Engineering teams
Build automation focused on efficiency (E.g. increase triaging efficiency, manage false positives etc.)
Leverage ASPM and build workflows and reports
Evaluate and integrate security tools and platforms
Implement Infrastructure as Code (IaC) security and cloud-native security controls.
Monitor and respond to security incidents in development and production environments.
Collaborate with development teams to remediate vulnerabilities and design secure applications.
Develop and deliver secure coding training and awareness programs.
Stay current with emerging threats, vulnerabilities, and security technologies.
Ensure compliance with industry standards (e.g., OWASP, NIST etc).
Requirements
Overall, 8 -10 years of experience in application security, software development, or related roles.
6+ years of work experience in Application security, preferably in a fintech or financial services domain
Strong understanding of web, mobile, API and cloud applications & its architectures.
Experience of code reviewing or code contributing to Java, Java Script, .Net. C#, Python, or IaC scripting.
Hands-on experiences running SCA, SAST, DAST, IAST, SBOM, ASPM, Apigee, WAF etc., with approaches or optimizations for the tools to efficiently enforce the enterprise S-SDLC policies.
Deep understanding of DevSecOps practices and experience in CI/CD automation for one of the popular platforms, such as Gitlab, GitHub or Azure DevOps.
Knowledge of cloud platforms (AWS, Azure) and container orchestration (Kubernetes, Docker).
Perspective of supporting developer tools as a security professional (E.g. integrating security tools with IDE, PR checks etc.)
The experiences in building security controls for a system that follows NIST CSF and SSDF frameworks and performing risk-based security reviews that meet the OWASP, SOC2, GDPR requirements.
Ability to identify and summarize practical operational procedures, write standards or SOPs, and provide security scan reports.
A good understanding of full stack software development and best practices for developing software (version control, branching, automation, IaC, documentation, testing, etc.)
Ability to collaborate cross-functionally and communicate effectively with highly technical teams and provide written assessment reports as needed.
Certifications such as CSSLP, OSWE, or CEH.
Exposure to AI security initiatives is an advantage
…