Senior Security Engineer

Job Tittle - Security Test Engineer

Job Type: Full-time

EXP 5+ Years

Location - Gurgaon

Roles & Responsibilities:

Perform Security Assessments: Conduct various types of security testing,

including:

1. Penetration Testing: Perform black-box, gray-box, and white-box penetration

testing on web applications, APIs, mobile applications (iOS/Android), and

network infrastructure.

2. Vulnerability Assessments: Utilize automated and manual techniques to

identify security weaknesses.

3. Static Application Security Testing (SAST): Analyze source code to identify

potential vulnerabilities.

4. Dynamic Application Security Testing (DAST): Test applications in a running

state and vulnerabilities.

5. Interactive Application Security Testing (IAST): Combine elements of SAST and

DAST for comprehensive testing.

6. Configuration Reviews: Assess the security posture of various systems and

applications.

7. Threat Modeling: Participate in threat modeling sessions to identify potential

attack vectors and vulnerabilities early in the development lifecycle.

8. Vulnerability Management:

Document identified vulnerabilities clearly and concisely, including steps to

reproduce, impact, and severity.

Communicate findings to development teams and stakeholders effectively.

Track and manage vulnerabilities through their lifecycle, from discovery to

remediation and retesting.

Provide guidance and recommendations to development teams on remediation

strategies.

9. Security Tooling & Automation:

- Utilize and configure security testing tools (e.g., Burp Suite, OWASP ZAP, Nessus,

Acunetix, Fortify, Checkmarx, Metasploit).

- Develop and implement automated security tests and scripts to improve efficiency.

- Stay up-to-date with the latest security testing tools, techniques, and best

practices.

10. Collaboration & Communication:

- Collaborate closely with development, DevOps, QA, and product teams to

integrate security into the SDLC (Secure SDLC).

- Educate and mentor developers on secure coding practices and common vulnerabilities.

- Participate in security code reviews.

- Present security findings and recommendations to technical and non-technical

audiences.

11. Research & Development:

- Stay informed about emerging security threats, attack vectors, and industry

trends.

- Contribute to the improvement of security testing methodologies and processes.

Participate in security community activities, conferences, and training.

Required Skills & Qualifications:

• Education: Bachelor's degree in computer science, Information Security, or a
  
  related field (or equivalent practical experience).

• Experience:
  
  Mid-Level: 3-6 years of experience in security testing, penetration testing, or
  
  application security.

Senior Level: 6+ years of experience in security testing, leading penetration

testing engagements and architecting secure solutions.

Technical Skills:

• Strong understanding of web application security vulnerabilities (e.g., OWASP
  
  Top 10, SANS Top 25).
  
  o Proficiency with security testing tools (e.g., Burp Suite, OWASP ZAP, Nmap,
  
  Metasploit).
• Experience with various operating systems (Linux, Windows).
• Familiarity with scripting languages (e.g., Python, Ruby, PowerShell, Bash).
  
  Understanding of network protocols, firewalls, and intrusion
  
  detection/prevention systems.
• Knowledge of secure coding principles and common programming languages
  
  (e.g., Java, Python, C#, JavaScript, ).
• Experience with cloud security (AWS, Azure, GCP) is a strong plus.
  
  Familiarity with CI/CD pipelines and integrating security into automated workflows.

Soft Skills:

- Excellent analytical and problem-solving skills.

- Strong communication and interpersonal skills, with the ability to explain complex technical concepts to non-technical audiences.

- Ability to work independently and as part of a team.

- High attention to detail and a methodical approach to testing.

- Curiosity and a strong desire to learn and stay current with security trends.

Desired Certifications (Plus, but not required):

OSCP

OSWE

CEH (Certified Ethical Hacker)

CompTIA Security+

SANS certifications (e.g., GWEB, GWAPT, GPEN)

CSSLP (Certified Secure Software Lifecycle Professional)