Security Engineer

Role -Application Security Engineer Experience - 4-7 yrs Location - Bangalore Key Responsibilities Internal VAPT & Security Testing ● Execute internal VAPT on web applications, APIs, and React Native mobile applications, focusing on real-world attack paths. ● Perform authenticated and authorization-focused testing, including BOLA/IDOR, broken access control, and session abuse. ● Validate scanner results and provide reproducible evidence such as PoCs, request/response traces, and impact narratives. DAST Program Support ● Improve DAST scanning reliability and signal quality by managing scope definition, scan profiles, and false positives. ● Produce verified, developer-actionable outputs for the monthly DAST cadence. ● Maintain stable test credentials and safe scanning practices for Tier-0/Tier-1 applications in coordination with the DAST owner. Secure SDLC & DevSecOps Enablement ● Support security checks integrated into GitHub Actions, including secrets scanning and dependency hygiene. ● Provide practical remediation guidance and secure coding recommendations for Node/React/Next and API services. ● Develop reusable developer guidance, such as secure patterns and verification scripts, to reduce vulnerability recurrence.

Triage, Verification & Mobile Security ● Triage findings from SAST, SCA, and DAST sources to ensure high-confidence issues reach engineering. ● Verify fixes and ensure closure quality for high-risk issues. ● Perform mobile security testing, including API endpoint discovery, secure storage assessments, and deep link validation. External VAPT & Bug Bounty Support ● Prepare scope, test accounts, and validation assistance for external VAPT execution. ● Assist in retest verification for external findings. ● Support bug bounty readiness through triage playbooks and severity assessment guidance. Qualifications & Experience ● Education: Bachelor’s degree in Computer Science, Cybersecurity, Information Security, or equivalent practical experience. ● Experience: 3–5+ years in application security, product security, or penetration testing with strong hands-on skills. ● Technical Testing: Demonstrated experience in web application and API security testing; mobile security experience is strongly preferred. ● Tooling: Proficiency with at least two of the following: Accunetix, Burp Suite, OWASP ZAP, SonarQube (or other SAST tools), dependency scanning, or secrets scanning tools.

Technical Knowledge & Skills ● Deep understanding of OWASP Top 10 and API security risks (BOLA/IDOR, mass assignment, rate-limit abuse). ● Strong grasp of authentication and authorization models, including JWT, OIDC, and session handling. ● Working knowledge of DevSecOps practices and embedding security testing into CI workflows (GitHub Actions). ● Ability to build reproducible proofs and utilize scripting (Python/Node) for light automation. ● Familiarity with Cloudflare WAF/API Shield and API gateway architectures (Kong/AWS API Gateway) is a plus.