Application Security Architect

Tata Consultancy Services Limited
Irvine, United States of America
yesterday

Role details

Contract type
Permanent contract
Employment type
Full-time (> 32 hours)
Working hours
Regular working hours
Languages
English
Compensation
$ 140K

Job location

Irvine, United States of America

Tech stack

Kubernetes Security
Java
.NET
API
Amazon Web Services (AWS)
Amazon Web Services (AWS)
Antivirus Softwares
Application Integration Architecture
Audit Trail
Cloud Computing Security
Computer Security
Computer Networks
Continuous Integration
Data Centers
Data Migration
Database Security
Network Address Translation
DevOps
Oracle Exadata
Data Flow Control
Identity and Access Management
IP Routing
Subnetting
Key Management
Network Security
Windows Server
Network Architecture
Wireless Security
OpenID
Oracle Applications
Open Web Application Security
Systems Development Life Cycle
Role-Based Access Control
Red Hat Enterprise Linux - RHEL
Zero Trust Network Access
Security Assertion Markup Language (SAML)
Secure Coding
SQL Databases
Systems Integration
Transport Layer Security
Software Security
Amazon Web Services (AWS)
Cloudformation
Database Migration
Information Technology
CIS Benchmarks
Cloudwatch
Terraform
Data Pipelines
Serverless Computing
TIBCO (Software)
Enterprise Service Bus
Static Application Security Testing
Dynamic Application Security Testing

Job description

  • Hands on AWS application security architecture across EC2, EKS/ECS, VPC, IAM, KMS, Secrets Manager, WAF/Shield, GuardDuty, Inspector, CloudTrail, Config, Security Hub.
  • Threat modeling expertise (eg, STRIDE), dataflow decomposition, and abusecase identification for web, API, ESB, and data migration paths.
  • Secure SDLC enablement: integrating SAST/DAST, SCA, container image scanning, IaC scanning (eg, Terraform/CloudFormation), and secret scanning in CI/CD.
  • Strong command of OWASP Top 10, ASVS, dependency risk management, and secure coding standards for Java and .NET services and APIs.
  • Container and serverless security: EKS/ECS hardening (IRSA, network policies, admission controls), ECR scanning, Lambda least privilege, and event security.
  • Identity & access design: IAM roles, SCPs, org guardrails, role segmentation (RBAC/ABAC), federation (SAML/OIDC), and JIT access patterns.
  • Database security: Oracle 19c/Exadata encryption (TDE), DB network encryption, key management, privileged access controls, and SQL audit strategies.
  • TIBCO ESB security: mTLS, TLS 1.2+, credential/secret handling, payload validation, and API & integration governance.
  • OS hardening knowledge for Windows Server 2016/2019/2022/2025 and RHEL 7/8/9 (CIS benchmarks, patching, endpoint controls).
  • Clear communicator and coach for dev/DevOps/SRE teams; adept at risk articulation, tradeoff decisions, and executive level reporting.
  • Lead the security architecture for the data center exit, defining secure landing zone patterns, reference architectures, and migration guardrails.
  • Perform threat models (STRIDE) for target architectures: web/API tiers, TIBCO integrations, data pipelines, and database migration flows to Exadata on AWS.
  • Embed security controls into SDLC: codify policies for SAST/DAST/SCA, container/IaC scanning, and enforce breakglass/approval workflows in CI/CD.
  • Design identity and access patterns: leastprivilege IAM roles, finegrained segmentation, secrets rotation, and crossaccount access governance.
  • Define network security: VPC design, segmentation, Security Groups/NACLs, PrivateLink, TGW, WAF/Shield policies, and egress controls for EC2/EKS.
  • Establish data protection: KMS/HSM key hierarchies, envelope encryption, TDE for Oracle, tokenization/masking where needed, and secure backups/replication.
  • Drive cloud security monitoring & IR: CloudTrail/Config/GuardDuty/Security Hub alerting, log centralization (eg, CloudWatch'sIEM), and playbooks/runbooks.
  • Conduct risk assessments and design reviews, align to OWASP Top 10, NIST/ISO control families, and document residual risks & compensating controls.
  • Partner with DB, app, and integration teams to secure migration tooling (eg, replication, cutover paths), validate rollback, and perform pre-go-live pen tests.
  • Coach engineers via secure patterns (sample code/policies/Helm/Kyverno/Gatekeeper), lead readiness reviews, and track remediation to closure., * Network architecture on AWS: VPCs, subnets, route tables, NAT/IGW, PrivateLink, Transit Gateway, inter-VPC segmentation, and zero-trust patterns.
  • Database migration security: encryption in transit/at rest, key rotation, privileged access, audit logging, and secure replication/cutover strategies.
  • TIBCO ESB in cloud: TLS/mTLS, credential vaulting, secure connector patterns, API governance, and monitoring/observability for integrations.
  • Experience hardening Windows Server (2016-2025) and RHEL (7-9) images (CIS), patch baselines, EDR/antimalware, and golden AMI pipelines.
  • Evidence of governance at scale: compliance mapping (OWASP Top?10, NIST/ISO), risk registers, executive reporting, and continuous control monitoring.

Requirements

  • Proven on-prem ? AWS migration experience for large application portfolios, including EC2-hosted Java/.NET and Oracle 19c ? Exadata on AWS transitions.
  • Demonstrated design/implementation of AWS Landing Zone/Organizations, SCP guardrails, account baselining, and multi-account segmentation strategies.
  • Practical use of AWS security services: IAM, KMS, Secrets Manager, Certificate Manager, WAF/Shield, GuardDuty, Inspector, Security Hub, Macie, CloudTrail, Config.
  • Container security on EKS/ECS: IRSA, Pod Security Standards, network policies, admission controls (OPA/Gatekeeper/Kyverno), and ECR scanning., * BACHELOR OF COMPUTER SCIENCE

Apply for this position