Security Engineer

Role -Application Security Engineer

Experience - 4-7 yrs

Location - Bangalore

Key Responsibilities

Internal VAPT & Security Testing

%CF; Execute internal VAPT on web applications, APIs, and React Native mobile applications, focusing on real-world attack paths.

%CF; Perform authenticated and authorization-focused testing, including BOLA/IDOR, broken access control, and session abuse.

%CF; Validate scanner results and provide reproducible evidence such as PoCs, request/response traces, and impact narratives. DAST Program Support

%CF; Improve DAST scanning reliability and signal quality by managing scope definition, scan profiles, and false positives.

%CF; Produce verified, developer-actionable outputs for the monthly DAST cadence.

%CF; Maintain stable test credentials and safe scanning practices for Tier-0/Tier-1 applications in coordination with the DAST owner.

Secure SDLC & DevSecOps Enablement

%CF; Support security checks integrated into GitHub Actions, including secrets scanning and

dependency hygiene.

%CF; Provide practical remediation guidance and secure coding recommendations for

Node/React/Next and API services.

%CF; Develop reusable developer guidance, such as secure patterns and verification scripts,

to reduce vulnerability recurrence.

Triage, Verification & Mobile Security

%CF; Triage findings from SAST, SCA, and DAST sources to ensure high-confidence issues reach engineering.

%CF; Verify fixes and ensure closure quality for high-risk issues.

%CF; Perform mobile security testing, including API endpoint discovery, secure storage assessments, and deep link validation.

External VAPT & Bug Bounty Support

%CF; Prepare scope, test accounts, and validation assistance for external VAPT execution.

%CF; Assist in retest verification for external findings.

%CF; Support bug bounty readiness through triage playbooks and severity assessment

guidance.

Qualifications & Experience

%CF; Education: Bachelor’s degree in Computer Science, Cybersecurity, Information Security,

or equivalent practical experience.

%CF; Experience: 3–5+ years in application security, product security, or penetration testing

with strong hands-on skills.

%CF; Technical Testing: Demonstrated experience in web application and API security

testing; mobile security experience is strongly preferred.

%CF; Tooling: Proficiency with at least two of the following: Accunetix, Burp Suite, OWASP

ZAP, SonarQube (or other SAST tools), dependency scanning, or secrets scanning

tools.

Technical Knowledge & Skills

%CF; Deep understanding of OWASP Top 10 and API security risks (BOLA/IDOR, mass

assignment, rate-limit abuse).

%CF; Strong grasp of authentication and authorization models, including JWT, OIDC, and

session handling.

%CF; Working knowledge of DevSecOps practices and embedding security testing into CI

workflows (GitHub Actions).

%CF; Ability to build reproducible proofs and utilize scripting (Python/Node) for light

automation.

%CF; Familiarity with Cloudflare WAF/API Shield and API gateway architectures (Kong/AWS

API Gateway) is a plus.