What You’ll Do
- Drive the implementation and roll out of security-in-depth concept to ensure security is incorporated in all the different layers within our products.
- Conduct security code reviews using automated and manual techniques.
- Conduct security scanning and testing on our hosting environment and web applications.
- Work with engineering and software QA teams to prioritize and address security bug fixes, security feature implementations and various security enhancements
- Conduct security architecture design reviews and develop or enhance security requirements related to new and existing software platforms, systems and features
- Conduct internal and external security assessments, audits, and penetration testing.
- Create and maintain comprehensive internal and external documentation
- Develop training materials for security awareness and deliver security technology training, such as emerging trends of security risks, latest security tools and methodologies, information security concepts, etc.
- Contribute to Risk Management Program – Work and collaborate with teams and bring about a cohesive and comprehensive security program (policies, standards, practices and process) that will ensure least possible if not no security loopholes.
- Build and maintain application threat modelling
- Handle customer security reviews and compliance/legal reviews related to security
- Participate in discussions with customer security team and answer any questions related to security and take forward any action items into security/product road map, coordinate with other teams and get it done.
Skills & Requirements
- 5+ years of professional experience in information security and web application security
- Deep understanding of OWASP Top 10 and SANS Top 25 application security errors
- Experience using commercial and/or open source static code analysis tools such as Veracode, Fortify or Checkmarx.
- Familiarity with scripting languages such as Perl, PHP, Python, Ruby, Shell, etc.
- Experience with commercial and/or open source security tools (for example: Qualys, Nessus, Metasploit, Wireshark, IDS/IPS, Firewall, etc.)
- Strong experience on DevOps culture and tools (e.g. GoCD or similar), Ansible, Docker, Kubernetes
- Working exposure to one of the major cloud IaaS providers (AWS, Azure, Google) is beneficial
- Strong analytical and problem-solving skills.
- Strong oral and written communication skills
- Associate or bachelor’s degree (Computer Science or Technology preferred)
- Security certifications such as CISSP, CISM, GPEN, CEH, CCNA, etc.
- Strong understanding of web protocols and standards (TCP/IP, HTTP, SSL, DNS, etc.)
- Experience with audits and compliance (SAS 70/SSAE 16, ISO 27001, SOX, PCI DSS, etc.)