Security Engineer

Signzy is a digital trust system. We provide identification, background checks, forgery detection

and contract management systems which enable contracting in a trustable, safe, legal, and

convenient manner. Our biometric user authentication system and blockchain-based digital trail

ensure non-repudiation. This increases compliance and enforceability in the court of law. We

consist of a tech-savvy team and are backed by investors who are enthusiastic about creating

solutions with technology.

Working at Signzy

● At Signzy we breathe software and exploit the latest technologies to create the most

amazing products. We comprise a tech-savvy team and are backed by investors who are

enthusiastic about creating solutions using technology.

● Signzy is looking for an Security Engineer . If you think you have what it

takes to get the job done, this is an invitation to be a part of the future

JD for Security Engineer-1 Role

Responsibilities:

Application Security

• Perform secure code reviews, threat modeling, and static/dynamic application security testing (SAST/DAST).
• Integrate and maintain automated scanning tools (e.g., Semgrep, Snyk, Trivy, Gitleaks) in CI/CD pipelines.
• Collaborate with developers to remediate vulnerabilities and embed security in SDLC.
• Guide on secure architecture patterns (authentication, authorization, data encryption, API security, mobile app protections like SSL pinning and mTLS).

Infrastructure & Cloud Security

• Harden cloud infrastructure (AWS/GCP/Azure), including IAM, VPC design, encryption, and network segmentation.
• Implement infrastructure-as-code security checks for Terraform, Helm, and Kubernetes deployments.
• Conduct internal and external penetration tests, configuration reviews, and vulnerability management for servers, containers, and endpoints.
• Support continuous monitoring (WAF, SIEM, EDR/MDM) and incident response

Security Assessments & Compliance

• Lead periodic security assessments: vulnerability assessments, penetration testing, firewall rule reviews, user-access audits, and network segmentation reviews.
• Document findings, track remediation, and provide risk-based recommendations.
• Assist with evidence gathering for ISO 27001, SOC 2, PCI-DSS, GDPR, and internal security audits.

Continuous Improvement

• Research emerging threats (e.g., supply-chain attacks, npm/package ecosystem risks) and recommend mitigations.
• Contribute to security runbooks, policies, and developer awareness sessions.

Qualification

Must Have

• 2–4 years of experience in application or infrastructure security engineering.
• Strong understanding of web/mobile security, OWASP Top 10, cloud security fundamentals, and Linux/Unix systems.
• Hands-on experience with CI/CD pipelines and common security tools (SAST, DAST, container scanners, SIEM/EDR).
• Hands-on with SAST/DAST tools (e.g., Burp Suite, OWASP ZAP, Semgrep, Fortify)
• Knowledge of network & OS hardening (Linux, cloud workloads).
• Experience with internal and external penetration testing methodologies.
• Familiarity with common tools: Nmap, Metasploit etc.,
• Hands on experience with Mobile application security testing [Android and iOS]
• Familiarity with threat modeling frameworks (STRIDE, MITRE ATT&CK) and SBOM management.
• Scripting or programming skills (Python, Go, Bash) for automation and custom tooling.
• Should have fundamental knowledge of cloud environments
• Security-first mindset with curiosity and analytical thinking.
• Ability to review firewall rules, ACLs, and security groups for least-privilege.
• Understanding of network segmentation and zero-trust principles.
• Ability to translate complex vulnerabilities into actionable, developer-friendly guidance.
• Collaborative approach to working with engineering, DevOps, and compliance teams.
• Strong reporting & documentation skills (writing assessment reports).
• Knowledge of security standards (ISO 27001, NIST 800-53, CIS Benchmarks).

Good to Have

• Container & K8s Security: Familiarity with Trivy, Falco, Kubescape, Kyverno.
• IaC Security: Experience with Terraform/CloudFormation scanning (Checkov, Tfsec).
• DevSecOps Integration: Embedding security tests into CI/CD (GitLab, GitHub Actions, Jenkins).
• Advanced API Security: Hands-on with API gateways (Kong, Apigee, AWS API Gateway) and WAF tuning.
• Cloud-Native Security: Experience with GuardDuty, Security Hub, AWS Config, GCP SCC.
• Emerging Areas: AI/ML model security.
• Certifications (good-to-have, not must): OSCP or Cloud Security certs (AWS Security Specialty).