Security Engineer · Bengaluru

Responsibilities

• Guide the technology organizations security and privacy initiatives by participating in design reviews and threat modeling.

• The applications are developed by the developers and product managers, and you will make sure the applications are secured and hardened.

• You will define the scope and ensure continuous adherence to the scope of projects at each phase (initiation to sustenance/maintenance phase).

• You will be responsible for creating visibility, and adoption of the projects meant for internal customers.

• Act as a security engineering expert and technical champion within Zeta.

• Assess gaps, and tools to improve application security

• Liasioning with all external and internal stakeholders for the team.

• Mentoring developers and QA.

• Evaluate bugs reported through the Bug Bounty program.

• Run security posture of various applications across BU s.

• Continuous improvement of web/mobile application security

• Quarterly VA/PT (internal/external, authenticate/non-authenticated) for mobile/web.

• Secure configuration of Web/Mobile application, DB, Data etc.

Skills

• Hands on VA/PT experience in Web, Mobile, API & Network

• Thorough understanding of OWASP Top 10, their attack & defence mechanisms

• Exposure to Secure SDLC Activities, Threat Modelling & Secure Coding

• Experience on both commercial and open source tools like Burpsuite, AppScan, OWASP ZAP, BEEF, MetaSploit, Qualys, Nessus, Synk etc.

• Identifying & exploiting business logic-related vulnerabilities.

• Solid understanding of Cryptography, knowledge of PKI-based systems, TLS

• Understanding of different AuthN/AuthZ frameworks (OIDC, oAuth, SAML) able to read/write/understand java code

• Performed Static Analysis, Code reviews using tools like Snyk, Veracode, Checkmarx, Sonarqube etc.

• Hands on Reversing mobile applications, class/small files, data obfuscators, or ciphers (Dex2jar, adb, Drozer, Clang, iMAS) and Dynamic Instrumentation tools like Frida/Objection

• Execute penetration tests and security assessments on internal and external networks, Windows and Linux environments, cloud (AWS) Infrastructure.

• Identify and exploit incorrect configurations and security vulnerabilities on Windows and Linux servers. Safely utilize tools, tactics, and procedures used in penetration testing engagements.

• Shell scripting or automation of simple tasks using Python, or Ruby

• Knowledge of PA-DSS, PCI SSF (S3, SSLC) etc.

• Knowledge of security standards like PCI DSS, UIDAI, GDPR, NIST etc.

• Understanding of Java Frameworks like Springboot, CI/CD, Jenkins.

• In-depth understanding of production operations on public cloud infrastructure.

• Excellent written and oral communication and a penchant for technical documentation.

• Must have participated in various bug bounty programs (HackerOne, Bug Crowd, Private etc)

• Experience in conducting hackathons and CTF s

• Knowledge of AWS/Azure (VPC/Vnet, S3 buckets, blob stores, LoadBalancers etc.), Dockers & Containers, Kubernetes

• Good understanding of agile development practices.

• Certifications like OSCP(Preferred), GWAPT, Advanced Web Attacks and Exploitation (AWAE), Comptia Security+

• Knowledge of Databases - Postgresql, Redshift, My SQL etc. and other data stores like Elasticsearch and S3 buckets.

Experience and Qualifications

• 2+ years of experience in developing large scale internet or SaaS applications.

• 2 to 3 years of overall experience as Web/Mobile Application Security engineer or Developer in medium to large-sized product companies.

• Bachelor of Technology (BE/ B.Tech ), M.Tech or ME in Computer Science or equivalent from a Tier-1 engineering college/university