Microsoft Enterprise Services India Global Delivery (IGD) delivers end-to-end solutions to Microsoft’s customers by enabling accelerated adoption and productive use of Microsoft technologies. The InfoSec team in IGD ensures that the delivered solutions meet the highest security standards, by employing Security Development Lifecycle (SDL) process. SDL itself includes various activities such as Threat Modeling, Security Code Review, Security Testing and Security Deployment Review. The IGD InfoSec team is looking for skilled application security professionals who can work with project teams, perform security reviews on the solutions being developed and help the teams to secure them.
The key responsibilities of the role are as follows:
- Work closely with project teams and understand the business context of the end-to-end solution.
- Proactively plan security reviews schedule in waterfall and agile methodologies
- Perform threat modeling of the solution – identifying design-level threats & recommending mitigations
- Periodically deliver hands-on SDL trainings to developers, with focus on application security
- Perform security code review of the solution using manual and automated techniques
- Perform manual security testing of the application using proxy tools such as Burp
- Create automation scripts/tools whenever required to improve the efficiency of security reviews
- Use automated scanners to scan the solution and filter false positives
- Log review findings in VSTS with appropriate severity and perform regression once they are fixed.
- Setup regular meetings with project teams and provide status updates
- Create reports on security review findings, participate in triage discussions and customer meetings.
- One or more of the following is a potential plus:
- Building applications in Microsoft technology stack – ASP.NET, Web APIs, SQL Server etc.
- Deploying applications in Azure and good understanding of Azure security concepts
- Participation in Bug Bounty programs, Capture the Flag (CTF) events
- Demonstration of security skills in security meetups/conferences/blogs
- Development of security tools, or hobby projects on GitHub
- One or more of the following is a potential minus:
- Reporting security issues using automated security tools with no technical understanding of the issues
- Showcasing security certifications without demonstrating the corresponding conceptual/hands-on skill
- Have not written code in the last one year
Senior Consultant-190015K4 Preferred Qualifications - 7 to 10 years of industry experience preferably on...
ORACLE - Hyderabad, Telangana - beBee
The Cross Domain/ Government Industry team brings together Domain Delivery teams, Sales, Account-Aligned Delivery &...
MICROSOFT - Hyderabad, Telangana - beBee