Security Engineer

Role -Application Security Engineer\nExperience - 4-7 yrs\nLocation - Bangalore\n\nKey Responsibilities\nInternal VAPT & Security Testing\n%CF; Execute internal VAPT on web applications, APIs, and React Native mobile applications, focusing on real-world attack paths.\n%CF; Perform authenticated and authorization-focused testing, including BOLA/IDOR, broken access control, and session abuse.\n%CF; Validate scanner results and provide reproducible evidence such as PoCs, request/response traces, and impact narratives. DAST Program Support\n%CF; Improve DAST scanning reliability and signal quality by managing scope definition, scan profiles, and false positives.\n%CF; Produce verified, developer-actionable outputs for the monthly DAST cadence.\n%CF; Maintain stable test credentials and safe scanning practices for Tier-0/Tier-1 applications in coordination with the DAST owner.\n\nSecure SDLC & DevSecOps Enablement\n%CF; Support security checks integrated into GitHub Actions, including secrets scanning and\ndependency hygiene.\n%CF; Provide practical remediation guidance and secure coding recommendations for\nNode/React/Next and API services.\n%CF; Develop reusable developer guidance, such as secure patterns and verification scripts,\nto reduce vulnerability recurrence.\nTriage, Verification & Mobile Security\n%CF; Triage findings from SAST, SCA, and DAST sources to ensure high-confidence issues reach engineering.\n%CF; Verify fixes and ensure closure quality for high-risk issues.\n%CF; Perform mobile security testing, including API endpoint discovery, secure storage assessments, and deep link validation.\n\nExternal VAPT & Bug Bounty Support\n%CF; Prepare scope, test accounts, and validation assistance for external VAPT execution.\n%CF; Assist in retest verification for external findings.\n%CF; Support bug bounty readiness through triage playbooks and severity assessment\nguidance.\n\nQualifications & Experience\n%CF; Education: Bachelor’s degree in Computer Science, Cybersecurity, Information Security,\nor equivalent practical experience.\n%CF; Experience: 3–5+ years in application security, product security, or penetration testing\nwith strong hands-on skills.\n%CF; Technical Testing: Demonstrated experience in web application and API security\ntesting; mobile security experience is strongly preferred.\n%CF; Tooling: Proficiency with at least two of the following: Accunetix, Burp Suite, OWASP\nZAP, SonarQube (or other SAST tools), dependency scanning, or secrets scanning\ntools.\n\nTechnical Knowledge & Skills\n%CF; Deep understanding of OWASP Top 10 and API security risks (BOLA/IDOR, mass\nassignment, rate-limit abuse).\n%CF; Strong grasp of authentication and authorization models, including JWT, OIDC, and\nsession handling.\n%CF; Working knowledge of DevSecOps practices and embedding security testing into CI\nworkflows (GitHub Actions).\n%CF; Ability to build reproducible proofs and utilize scripting (Python/Node) for light\nautomation.\n%CF; Familiarity with Cloudflare WAF/API Shield and API gateway architectures (Kong/AWS\nAPI Gateway) is a plus.