Swiggy - Lead Security Engineer - VAPT (6-8 yrs)

Job Profile : Software Development Engineer III - Security Engineering-

Location : Bangalore | Karnataka

Years of Experience : 6 - 8yrs

About the Team & The Role :

Swiggy is looking for a skilled, motivated, and collaborative Lead Security Engineer with a strong security mindset to join our Security team. In this role, you will serve as an expert and mentor to team members. You will be a strong communicator and influencer, showing curiosity to learn and understand the business.

What will you get to do here?

Code Security :

- Code Obfuscation : Implement tools like Proguard to prevent reverse engineering for mobile apps.

- Secure Coding Practices : Follow best practices to avoid common vulnerabilities, conduct regular security scans, and address new vulnerabilities.

- Third-Party SDKs/Libraries : Ensure compliance with license policies, identify security risks, and manage updates.

- Error Handling : Properly handle errors to avoid disclosing sensitive information and ensure debug logs are not included in production.

Authentication and Authorization :

- API Access Protection : Define, validate, and enforce the policies for secure access to API endpoints.

- Secure Testing/Debugging : Ensure that secure pages are well-protected and credentials are regularly rotated.

Device Security :

- Root/Jailbreak Detection : Detect and respond to rooted or jailbroken devices.

- Secure Storage Solutions : Use OS-provided secure storage options.

App Distribution Security :

- Monitoring for Piracy : Detect and prevent the distribution of pirated app versions.

User Privacy :

- Permission Management : Validate that we request only necessary permissions and explain their necessity.

- Data Minimization : Validate that we collect only necessary data and ensure it's correctly documented in privacy policies.

- Data Leak preventions : Ensure that we don?t leak sensitive user data in logs, analytics, dashboards etc

Threat Detection and Response :

- Runtime Application Self-Protection (RASP) : Detect and respond to threats in real-time.

- Incident Response : Quickly analyze and respond to security incidents, handling bot traffic and fraudulent cases effectively.

- Security Incident Patterns : Identify hacking patterns and implement protective rules.

Compliance and Legal Requirements :

- Regulations : Ensure compliance with data protection regulations (e.g., GDPR).

- Industry Standards : Adhere to industry-specific security standards and perform regular VAPT (Vulnerability Assessment and Penetration Testing).

Regular Security Testing :

- Penetration Testing : Conduct regular assessments to identify and fix vulnerabilities.

- Static and Dynamic Analysis : Use tools for comprehensive code analysis.

- Code Reviews : Regularly review code for security vulnerabilities.

Security Training :

- Developer Training : Educate developers on secure coding practices and raise security awareness.

- Builds and Executes Organizational Roadmaps : Plans and implements comprehensive security roadmaps.

What qualities are we looking for?

- 6 - 8 years minimum of Security Experience Required.

- Bachelor's in Computer Science, Information Security, or a related field.

- Proven Infra, Mobile application, and API security experience.

- Proficiency in CIS (Center for Internet Security) standards implementation and interpretation.

- Knowledge and understanding of security standards, security configuration reviews, secure architecture and cloud security.

- Secure coding, encryption, threat modeling, and security tools.