Senior Application Security Engineer

About NopalCyber NopalCyber makes cybersecurity manageable, affordable, reliable, and powerful for companies that need to be resilient and compliant. Through Managed Extended Detection and Response (MXDR), Attack Surface Management (ASM), Breach and Attack Simulation (BAS), and Advisory Services, we fortify our clients’ cybersecurity across both offense and defence. Our AI-driven Nopal360° platform, NopalGo mobile app, and proprietary Cyber Intelligence Quotient (CIQ) enable organizations to quantify, track, and visualize their cybersecurity posture in real time. We democratize enterprise-grade security operations for organizations of all sizes by lowering the barrier to entry while raising the bar for security and service. Location: Nopal Cyber, Hyderabad (Work from Office, 5 Days a Week) Employment Type: Full-time Key Responsibilities - Run Static Application Security Testing (SAST) using tools such as SonarQube, Fortify, Checkmarx, Veracode, etc., to identify source-code vulnerabilities across multiple languages and frameworks (Java, .NET, Python, JavaScript, etc.). - Configure and execute SAST scans, fine-tune rules, manage false positives, and integrate scans into CI/CD pipelines. - Perform Dynamic Application Security Testing (DAST) (authenticated and unauthenticated) on web apps, APIs, and services; analyse results and validate findings. - Combine SAST and DAST outputs to provide holistic vulnerability coverage and support secure SDLC initiatives. - Plan and conduct Vulnerability Assessment and Penetration Testing (VAPT) for web applications, APIs, and backend services to identify business logic, configuration, and runtime flaws. - Map VAPT findings back to code-level issues discovered in SAST to close the loop with development teams. - Work with developers and DevSecOps engineers to remediate vulnerabilities and embed security testing into build pipelines. - Use Software Composition Analysis (SCA) tools such as Snyk, White Source, Nexus Lifecycle, Black Duck to identify open-source and third-party risks (vulnerabilities, license issues, outdated components). - Generate, validate, and manage Software Bills of Materials (SBOMs) in formats like CycloneDX and SPDX to strengthen software supply chain security. - Monitor transitive dependencies and unverified sources to prevent supply-chain compromise. - Apply secure coding principles aligned with OWASP Top 10, CWE, and language-specific security pitfalls. Required Skills & Experience - 8–12 years of experience in Application Security with direct, hands-on expertise in SAST, DAST, SCA, and VAPT. - Strong knowledge of secure software development practices and common vulnerability classes (OWASP Top 10, CWE, ASVS, language-specific security pitfalls). - Hands-on experience integrating security testing into CI/CD pipelines (Jenkins, Azure DevOps, GitLab CI, GitHub Actions). - Practical expertise with SAST tools (SonarQube, Fortify, Checkmarx, Veracode) and SCA tools (Snyk, White Source, Nexus Lifecycle, Black Duck). - Working knowledge of security architecture frameworks (e.G., SABSA) and threat modeling methodologies (e.G., STRIDE, attack trees) to support risk-based application security design and assessment. - Ability to validate and triage false positives, priorities vulnerabilities, and provide actionable remediation guidance to developers. - Ability to develop and present detailed application security assessment reports, code-level remediation plans, and secure coding guidance aligned with industry standards and compliance requirements. - Strong communication skills to convey technical findings to technical and executive stakeholders. Educational Qualifications - Bachelor’s degree in engineering, Computer Science, or related discipline. - CEH Certification (Mandatory) plus one or more advanced certifications: - EC-Council Certified Application Security Engineer (CASE – Java/.NET) - GIAC Secure Software Programmer (GSSP – Java/.NET) - Programming language-neutral certifications like CSSLP. Personal attributes - Self-starter and quick learner requiring minimal ramp-up - Excellent written, oral, and interpersonal communication skills - Highly self-motivated, self-directed, and attentive to detail - Ability to effectively prioritize and execute tasks in a high-pressure environment