Senior Application Security Engineer / AppSec Architect

We are seeking a highly skilled Senior Application Security Engineer with deep expertise in Application Security Testing, Penetration Testing, Secure SDLC, Cloud Security, and DevSecOps. The ideal candidate will possess strong hands-on experience performing advanced security assessments across enterprise web applications, APIs, cloud-native platforms, and distributed environments. This role requires extensive experience identifying and remediating complex vulnerabilities including OWASP Top 10 issues, authentication/authorization weaknesses, SSRF, injection flaws, insecure deserialization, business logic vulnerabilities, and cloud security misconfigurations across AWS, Azure, and hybrid enterprise infrastructures. The candidate will work closely with Engineering, DevOps, Cloud Architecture, Risk, Compliance, and Product Security teams to integrate security across the software development lifecycle while driving proactive risk reduction initiatives.

Day to Day responsibilities : As a Security Engineer/Tester, you will be performing authorized security testing on some of the very complex, massive scale, and highly critical applications. As part of a shift left focus, you will be working part of the development team along with developers to proactively identify any security vulnerabilities (OWASP Top 10, SANS Top 25, CWE) at the earliest before they are discovered late in cycle by InfoSec teams or in production. You will be working as a liaison between the Infosec team and development teams, understanding the security issues reported by central InfoSec teams to development teams to help them understand and fix them. You need to be highly passionate in following the constantly changing threat landscape and familiarize with latest security vulnerabilities that impacts the team., Application Security & Penetration Testing Perform advanced manual and automated penetration testing across web applications, APIs, microservices, cloud-native workloads, and distributed enterprise systems. Conduct SAST, DAST, and SCA assessments using tools such as Fortify, Snyk, Burp Suite, Qualys, Invicti, Wiz, and DefectDojo.

Identify and validate vulnerabilities including: Injection flaws (SQLi, Command Injection) Broken Authentication & Authorization SSRF IDOR XSS CSRF Prototype Pollution Insecure Deserialization Business Logic Vulnerabilities API Security Weaknesses Perform secure code reviews across Java, JavaScript, Python, C++, and Go applications. Develop proof-of-concepts, custom exploit scripts, fuzzers, and security automation tools using Python, Go, Bash, and JavaScript. Conduct adversary simulations and red-team-style attack assessments to identify attack paths and lateral movement risks.

Security Operations & Threat Management Support enterprise security monitoring, incident response, and forensic investigations. Analyze SIEM alerts and threat telemetry using Splunk, QRadar, Chronicle, and Sourcefire. Conduct root cause analysis (RCA) and threat hunting activities across enterprise environments. Develop and tune security detection logic, correlation rules, and anomaly detection workflows. Support digital forensics investigations using EnCase, FTK, Wireshark, and TCPDump. Assist in fraud detection, AML investigations, and transaction anomaly analysis.

Data Protection & Zero Trust Security Implement and manage enterprise DLP and endpoint protection solutions.

Configure and administer: CrowdStrike CyberArk PAM Netskope Zscaler Microsoft Purview DLP Symantec DLP Design Zero Trust security architectures and privileged access governance controls. Implement endpoint hardening and insider threat mitigation strategies., Web Application Security API Security Testing Penetration Testing Threat Modeling Secure Code Review Secure Architecture Reviews

Deep understanding of: OWASP Top 10 MITRE ATT&CK NIST Cybersecurity Framework Security by Design principles Security Tools Burp Suite Fortify Snyk Invicti Qualys Wiz DefectDojo Splunk QRadar CrowdStrike Cloud & DevSecOps AWS Security Architecture Azure Security Architecture Terraform Jenkins GitHub / GitLab CI/CD Kubernetes Security Docker Security Infrastructure as Code (IaC) Programming & Automation Python GoLang JavaScript Bash REST APIs JSON/YAML

Do you have a Bachelor's degree?, You must be self-directed, able to work independently, as well as work in a team-oriented and fast paced environment. You need to be aware of a varied application security domains like authentication, authorization, identity management, cryptography, etc. You require very good communication and presentation skills to be able to present your findings to Leadership/Management/Development teams to help them understand the Risk so that they can take informed decisions on mitigations, controls and residual risk. The ideal candidate is a team player, self-starter and quick learner with 3+ year of experience in software development/testing with large-scale enterprise applications. The working experience requirement can be relaxed if the candidate has right skillset and has the capability to learn quickly. When submitting a candidate under this consideration, please highlight examples of quick learning on the resume., 3+ year of experience in software development/testing with large-scale enterprise applications. Primary Skill Manual and automated testing (testing will be done on software) Deep understanding of different web application technologies, web protocols (HTTP, HTTPS, etc.), browser technologies, etc. In depth domain understanding of application security in terms of Identity and Access Management (IAM), different authentication technologies (passwords, biometrics, OTP, digital certificates & PKI, device authentication, FIDO U2F/Passkeys, etc. Proven expertise on different security testing tools (Proxy tools like Fiddler, Black box security testing tools like Burp, Static Security Code analysis tools, Deep understanding of different application security vulnerabilities such as OWASP Top 10, SANS Top 25, CWE, attack patterns (CAPEC), etc. Bachelor's Degree in Computer Science or equivalent experience. Must be self-directed, able to work independently, as well as work in a team-oriented and fast paced environment, Working experience on different security technologies and standards like Single Sign On (SSO) using SAML/OpenID, OAuth protocols, etc. Good understanding of Cryptographic algorithms and standards like Symmetric/Assymetric crypto techniques, digital signatures, JWS/JWE tokens, Hardware Security Modules (HSMs), etc. Understanding of Security vulnerabilities related to Cloud environments is an added advantage. Well known Security certifications is an added advantage Understanding of Threat Modelling concepts and Secure Development Life Cycle processes. Mobile Application Security familiarity is desirable., CISSP Certification preferred CCSK / Security+ preferred Experience in Healthcare, Financial Services, or Regulated Enterprise environments Experience supporting PCI-DSS, HIPAA, ISO 27001, SOX, and NIST compliance initiatives Strong communication, stakeholder management, and executive reporting experience Experience mentoring junior security engineers and leading security initiatives

Nice to Have Red Team / Offensive Security experience AI/ML Security exposure Cloud-native container security experience Fraud analytics and payment security domain experience Experience with Chronicle SIEM and GCP Security services

Education Bachelor's Degree in Computer Science, Cybersecurity, Information Technology, or related discipline.

$55 - $60 an hour - Temp-to-hire