Manager/Senior Manager - Platform Security Specialist

Recruitment for the role of Manager/Senior Manager - Platform Security Specialist

About GeM

Government eMarketplace (GeM) is a unified digital platform that facilitates end-to-end procurement of goods and services

by various government departments, organizations, and public sector undertakings (PSUs). Our Honourable Prime Minister’s concerted efforts to harness the power of digital platforms to achieve ‘Minimum Government, Maximum Governance’ led to the genesis of GeM in 2016.

GeM provides a paperless, cashless and contactless ecosystem for government buyers to directly purchase products and services from pan-India sellers and service providers through an online platform. GeM covers the entire gamut of procurement process, right from vendor registration and item selection by buyers to receipt of goods and facilitation of timely payments. GeM has envisioned to utilise the agility and speed that come along with a digital platform created with a strategic intent to reinvigorate public procurement systems and bring about a lasting change for the underserved as well as the nation.

Built on the pillars of Efficiency, Transparency and Inclusivity, GeM has emerged as a digital tool in nation’s interest, aimed at catalyzing excellence in public procurement. To know more about us, please visit-

You may also follow us on social media platforms like – Twitter, LinkedIn, Koo App, YouTube, Facebook

GeM invites applications from eligible candidates for recruitment to the following position(s) on Contractual Basis:

This is a contractual engagement under the Project Management Unit (PMU) for an initial period of 5 years, extendable based on performance and organizational requirements.

Eligible applicants can apply by submitting their applications by 16-June-26.

GeM selection committee reserves the right to relax or extend the eligibility criteria and educational qualifications. The crucial date for determining eligibility will be the last date of receipt of applications. No applications shall be entertained under any circumstances after the stipulated date. Incomplete applications without application form shall not be considered. GeM reserves the right to shortlist candidates for interview. Applicants should note that mere fulfilment of minimum eligibility criteria may not ensure consideration for short listing for interview. GeM will not entertain any correspondence on this subject and decisions of GeM will be final in all matters.

Designation - Manager/Senior Manager - Platform Security Specialist

Level- E3/E4

Job Location- New Delhi

Type Of Employment- Contractual under Project management unit (PMU) of GeM.

Role Overview

We are seeking a Platform Security specialist with hands-on expertise in offensive testing, client-side exploitation, and architectural hardening to uncover and remediate vulnerabilities in GeM and new portal, which is currently under development.

This role will lead structured diagnostic assessments—including session management, context token validation, API replay protection, cross-window/browser exploitation, and fraud detection—while also executing real-world ethical hacking simulations to expose weaknesses before adversaries do.

You will design and enforce zero-trust client–server models, implement tamper-evident protocols, and ensure that critical business logic remains secure in our micro-frontend and microservices architecture.

Role And Responsibility

1. Offensive Security & Ethical Hacking

• Perform full-spectrum penetration testing (frontend, backend, APIs) targeting:
• React micro frontends and ReactNative mobile apps
• Java Spring Boot and Ruby on Rails backend services
• Integration points (API gateways, service orchestrations)
• Simulate client-side tampering via:
• Browser developer tools (DOM manipulation, JS injection)
• Network request interception/replay
• Cross-tab/window state manipulation
• Conduct diagnostic assessments as per security questionnaire:
• Session & Search Management
• Audit search session ID generation and isolation
• Test multiple-tab/multiple-window handling
• Verify that L1 (lowest price) determinations are server-authoritative
• Assess persistence and cryptographic signing of search results
• Purchase Token & Validation System
• Analyze purchase API payloads for session binding & tokenization
• Verify token one-time use & binding to search sessions
• Detect cross-search purchase vulnerabilities
• Cross-Window & Browser Security
• Evaluate browser fingerprinting & cross-window manipulation detection
• Test developer tools / DOM tamper detection capabilities
• API Security & Replay Protection
• Test request idempotency & replay attack resilience
• Audit depth of server-side validation beyond authentication
• Check request–response integrity & response signing mechanisms
• Fraud Detection & Monitoring
• Assess anomaly detection coverage & event correlation
• Verify completeness of audit trails for forensic reconstruction
• Architecture-Level Security
• Map trust boundaries between client and server
• Identify risks from client-side state manipulation

2. Defensive Architecture & Hardening

• Architect context-token and payload-signing systems to bind requests to sessions, actions, and parameters.
• Define and enforce content security policy (CSP) , Trusted Types , Sub-resource Integrity (SRI) for all frontend assets.
• Implement replay prevention mechanisms , idempotency keys , and anti-fraud telemetry .
• Harden state management to ensure critical decisions and calculations are backend-only.

3. Monitoring & Detection

• Develop client-side security monitoring :
• DOM mutation detection
• Service Worker–based egress guard
• CSP/SRI violation reporting
• Integrate client telemetry with backend SIEM for real-time detection of tampering and fraud.
• Establish continuous security regression testing pipelines in CI/CD.

4. Business Logic & Procurement Security

• Identify and test for business rule bypasses that may allow manipulation of procurement workflows (e.g., bid extension, cancellation, or L1 price leakage).

• Identify and assess workflows for bid manipulation risks , including collusion, proxy bidding, and last-minute sniping strategies.

• Ensure that business-critical workflows are tamper-proof, auditable, and enforce compliance with government procurement norms.

Key Shared Accountabilities:

• Proven ability to design token-based authorization , session isolation , and state synchronization security.
• Strong knowledge of Java Spring Boot and Ruby on Rails security practices.
• Experience with browser security models (CSP, Trusted Types, SRI, sandboxing).
• Familiarity with fraud detection systems and audit logging best practices .
• Certifications: OSCP, OSWE, CEH, GWAPT, or similar.

JOB QUALIFICATION & REQUIREMENTS

EXPERIENCE REQUIREMENTS

• 8+ years in application security, penetration testing, or security architecture
• Mastery of web and API exploitation techniques (cross-site scripting (XSS), cross-site request forgery (CSRF), replay attacks, logic flaws).
• Hands-on with security testing tools : Burp Suite, OWASP ZAP, Postman scripting, custom fuzzers.

Preferred Qualifications

• Background in securing micro frontend / microservice architectures .
• Experience with workflow orchestrations (Camunda 8, IBM BAMOE 9.1).
• Familiarity with threat modeling and MITRE ATT&CK for Web .

EDUCATION REQUIREMENTS

• B. Tech in computer science/IT/Software Engineering from a reputed institute/ University

GOOD TO HAVE SKILLS

• E-Procurement/Financial Systems Security (Preferred)

- Experience with e-procurement fraud patterns preferred

- Understanding of government procurement compliance requirements

- Knowledge of bid manipulation and price manipulation attack vectors

Success Metrics

• Identified & remediated vulnerabilities in all diagnostic questionnaire categories.
• Zero critical security findings in post-release penetration tests.
• Increased detection rate of client-side and API tampering attempts.
• Measurable improvement in fraud prevention and audit trail completeness