CISO/ Security Manager /Senior Security Manager

Function:

• Application Security

• Information Security

• Vulnerability Assessment

• Cloud Security

• Product Security

Your Opportunity :

• Work with stakeholders to define and own the Security road map for one or more business areas and build the Security processes from scratch.

• Provide technical and scientific leadership to the team

• Roll up your sleeves and do hands-on work.

• Build, coach, mentor, and grow the team.

• Be at the forefront of emerging vulnerabilities/threats which could affect Cashfree products through independent research and study.

• Examine the products in detail to discover vulnerabilities and collaborate with the other security engineers to practically demonstrate the exploitability and risk factors.

• Engage with the developers in developing workarounds/mitigation plans and ensure they are implemented per policy.

• Engage with the development teams to conduct secure design reviews/threat modeling exercises to enumerate threats and mitigation strategies.

• Enable the developers with knowledge of threat modeling by conducting focused workshops.

• Secure Coding: Priorities critical defects and ensure these are identified and mitigated during the sprint.

• Integration and automation of SAST in the DevOps pipeline.

• Build secure coding principles and propagate them across the development community.

• Be the to-go person for developers in solving critical issues relating to secure product development.

• Build and enhance secure coding/security assessment training content for developers and the QA team.

• Deliver training programs at various levels in the organizations.

• Evangelse, conduct workshops/security tech talks to disseminate security knowledge and awareness.

• Conduct white-box and grey-box offensive penetration testing against applications, front-end and back-end micro-services, and web services.

• Conduct network infrastructure, Public Cloud (AWS and GCP), and data-layer offensive pen testing.

• Perform manual source code reviews and audits (manual and SCA/SAST code audits) as needed.

• Perform any other application security or product security-related activities or tasks as needed or directed.

• Validate 3rd party external pen-test and crowd-sourced application security findings and work with our engineering teams.

Requirements :

• B. S. in Computer Science, Electrical, or Computer Engineering, or equivalent work experience as a security practitioner.

• 12+ years of relevant engineering or security assessment experience, experience in application security.

• Possess a broad knowledge of attack vectors, exploits, and mitigations that work at scale or may be linked together for chained attacks.

• Experience with Java, Go, Python, or Node.js (bonus points for more than one).

• Experience with assessing Cloud-native services, service meshes, and K notes-platform-based micro-services.

• Be able to apply unconventional thinking and problem-solve on the boundary of your knowledge base, learning new technologies or languages as needed to complete pen-test tasks.

• Be able to think both offensively (like a hacker) and defensively (evaluating product security and design).

• Familiarity with industry-standard threat modeling, risk modeling, and vulnerability classification.

• Experience with pre-assessment architectural and API analysis to the scope and preparing white-box and grey-box assessments.

• Integrating security tools, standards, and processes into the product life cycle (PLC).

• Experience working with in-house engineering organizations, S-SDLC/CICD software lifecycle, and QA processes.

• Good knowledge of multiple classes of vulnerabilities that includes cross-site scripting, SQL Injection, CSRF, cryptographic-related weakness, and code injection.

• Good knowledge of any programming/scripting languages such as Java, Ruby, and Python.

• Good knowledge relating to services/technology relating to the cloud.

• Ability to automate security testing and improve productivity in security assessments.

• Ability to communicate and interpret security vulnerabilities to various audiences such as development and management teams.