Product Security Lead

Location: Chennai (HQ) - Onsite

Function: Product Security

Experience: 7–12 years (incl. 2+ years in a lead/ownership role)

About the role

We're looking for an Product Security Lead to embed security into our SDLC and own end-to-end VAPT remediation across our lending product suite (LOS/LMS, rules engine, analytics). You'll partner with engineering and platform teams to design, build, and operate secure-by-default products used by leading financial institutions.

What you'll do

- Own the Secure SDLC for microservices (Java/Spring Boot), Node/TypeScript backends, Angular UIs, and Android/Flutter apps—policy, standards, and release gates.
- Build and run CI/CD security controls: SAST, SCA/SBOM, secrets & IaC checks, container/image scanning; automate DAST/IAST in pipelines; enforce block-on-fail where needed.
- Drive VAPT end-to-end: scope with internal/third-party testers, triage findings, set SLAs, track remediation to closure; verify fixes and prevent regressions.
- Threat model & review designs/code for authN/Z, crypto, session management, API security, data protection/PII, and high-risk modules (payments, onboarding, documents).
- Cloud & platform security (AWS): baselines for EC2/ALB, RDS/KMS, S3 policies, network segmentation, mTLS/JWT service auth, Vault-backed secrets, and key rotation.
- Observability & governance: wire security logs to SIEM, define AppSec KPIs (MTTR, SLA adherence, gate coverage), and report risk posture to engineering leadership.
- Upskill teams: run secure coding workshops, build a "security champions" program, create playbooks/runbooks for common vulns and abuse cases.

What you'll bring

- 7–12 years in Application/Product Security, including leading Secure SDLC and VAPT remediation in a product engineering environment.
- Hands-on with SAST/SCA/DAST/IAST, code reviews, and threat modeling (e.g., STRIDE); ability to read code in Java/Spring, Node/TypeScript, and Angular.
- Prior experience in integrating security checks and gating critera with CI platform like SonarQube
- Strong grasp of OWASP Top 10, API Security Top 10, ASVS, CWE, secrets management, and CI/CD hardening.
- AWS security experience: IAM, KMS, RDS encryption, SG/WAF, CloudTrail/GuardDuty; familiarity with Docker/Kubernetes and IaC (Terraform/CloudFormation).
- Experience running vendor/3rd-party VAPT cycles and landing fixes to SLA with engineering teams.
- Awareness of compliance contexts (ISO 27001/SOC 2, RBI guidance, DPDP Act) and secure handling of PII/financial data.
- Nice to have: mobile app security (OWASP MASVS), OAuth2/OIDC, mTLS, WebAuthn/modern auth patterns; Kafka, Redis, NGINX, Consul, Vault.
- Certifications (optional, a plus): OSWE/OSCP, GWAPT/GWEB, CSSLP.

What success looks like (first 6 months)

- ≥ 95% of Critical/High findings closed within SLA across services.
- All repos behind security gates with SBOMs published; zero hard-coded secrets; baseline threat models for top services.
- Repeatable VAPT → remediation → verification loop with dashboards visible to leadership.

Why join us

- Build security for mission-critical fintech products at scale.
- High ownership, direct impact, and the chance to set the bar for product security across our stack.
- Collaborative culture with strong engineering, rapid delivery, and growth opportunities.

---