Security Engineer

Signzy is a digital trust system. We provide identification, background checks, forgery detection and contract management systems which enable contracting in a trustable, safe, legal, and convenient manner. Our biometric user authentication system and blockchain-based digital trail ensure non-repudiation. This increases compliance and enforceability in the court of law. We consist of a tech-savvy team and are backed by investors who are enthusiastic about creating solutions with technology. Working at Signzy ● At Signzy we breathe software and exploit the latest technologies to create the most amazing products. We comprise a tech-savvy team and are backed by investors who are enthusiastic about creating solutions using technology. ● Signzy is looking for an Security Engineer . If you think you have what it takes to get the job done, this is an invitation to be a part of the future JD for Security Engineer-1 Role Responsibilities: Application Security Perform secure code reviews , threat modeling, and static/dynamic application security testing (SAST/DAST). Integrate and maintain automated scanning tools (e.g., Semgrep, Snyk, Trivy, Gitleaks) in CI/CD pipelines. Collaborate with developers to remediate vulnerabilities and embed security in SDLC. Guide on secure architecture patterns (authentication, authorization, data encryption, API security, mobile app protections like SSL pinning and mTLS). Infrastructure & Cloud Security Harden cloud infrastructure (AWS/GCP/Azure), including IAM, VPC design, encryption, and network segmentation. Implement infrastructure-as-code security checks for Terraform, Helm, and Kubernetes deployments. Conduct internal and external penetration tests , configuration reviews, and vulnerability management for servers, containers, and endpoints. Support continuous monitoring (WAF, SIEM, EDR/MDM) and incident response Security Assessments & Compliance Lead periodic security assessments : vulnerability assessments, penetration testing, firewall rule reviews, user-access audits, and network segmentation reviews. Document findings, track remediation, and provide risk-based recommendations. Assist with evidence gathering for ISO 27001, SOC 2, PCI-DSS, GDPR, and internal security audits. Continuous Improvement Research emerging threats (e.g., supply-chain attacks, npm/package ecosystem risks) and recommend mitigations. Contribute to security runbooks, policies, and developer awareness sessions. Qualification Must Have 2–4 years of experience in application or infrastructure security engineering. Strong understanding of web/mobile security, OWASP Top 10, cloud security fundamentals, and Linux/Unix systems. Hands-on experience with CI/CD pipelines and common security tools (SAST, DAST, container scanners, SIEM/EDR). Hands-on with SAST/DAST tools (e.g., Burp Suite, OWASP ZAP, Semgrep, Fortify) Knowledge of network & OS hardening (Linux, cloud workloads). Experience with internal and external penetration testing methodologies. Familiarity with common tools: Nmap, Metasploit etc., Hands on experience with Mobile application security testing [Android and iOS] Familiarity with threat modeling frameworks (STRIDE, MITRE ATT&CK) and SBOM management. Scripting or programming skills (Python, Go, Bash) for automation and custom tooling. Should have fundamental knowledge of cloud environments Security-first mindset with curiosity and analytical thinking. Ability to review firewall rules, ACLs, and security groups for least-privilege. Understanding of network segmentation and zero-trust principles. Ability to translate complex vulnerabilities into actionable, developer-friendly guidance. Collaborative approach to working with engineering, DevOps, and compliance teams. Strong reporting & documentation skills (writing assessment reports). Knowledge of security standards (ISO 27001, NIST 800-53, CIS Benchmarks). Good to Have Container & K8s Security : Familiarity with Trivy, Falco, Kubescape, Kyverno. IaC Security : Experience with Terraform/CloudFormation scanning (Checkov, Tfsec). DevSecOps Integration: Embedding security tests into CI/CD (GitLab, GitHub Actions, Jenkins). Advanced API Security : Hands-on with API gateways (Kong, Apigee, AWS API Gateway) and WAF tuning. Cloud-Native Security : Experience with GuardDuty, Security Hub, AWS Config, GCP SCC. Emerging Areas : AI/ML model security. Certifications (good-to-have, not must) : OSCP or Cloud Security certs (AWS Security Specialty).