Cyber Security Analyst

1.Application Security Engineer

Mandatory skills:

8â"“10-years of manual penetration testing experience(

Mobile, Web application , Web services, API)

Manual pen test experience on mobile application at least 20+ apps. T he ability to notice â"oddâ" behavior and able to take the initiative to investigate it.

Manual Web application and Web Services, API experience more then 300+ Applications.

Very good in reporting as per the best practices.

Person should know the vulnerability and the remediation in depth so that he can suggest the same to all the stakeholders.

Expert in Burp Suite tool.

Technical Skills:

Knowledge of how to put into practice the OWASP Security Testing Standard.

Fair understanding of testing the applications behind the Web Application Firewall and the evasion techniques.

Good pen testers have the drive to keep digging and enjoy solving puzzles.

Tools and procedures can be learned, but the â"knackâ" or â"hacker geneâ" is something that the person must have developed on their own or they will never be a top-level tester.

As far as tools, the baseline is the same as web app pen testing, e.g., Kali, Burp, Python, Wireshark, radar, etc.

For mobile app specific tools, theres Frida, MARA, Cydia, and others- there are multiple platforms that can accomplish the same thing, so to an extent its the testers preferences.

In addition to the basic scripting skills necessary for most pen testing, a mobile pen tester should have experience with Java and Objective-C as those are the main languages for app development, as well as JavaScript since thats how Frida interactions are done (as mini-JS scripts to control the app and hook function calls).

Ideally a tester will have experience as a mobile app developer, since its easier to understand the disassembly of an app if you understand how it was put together in the first place.

A good understanding of jailbreaking, certificate management, and MITM operations are also necessary since natively the mobile application and the device will not allow MITM.

Banking and financial domain experience would be addon to the existing skillsets.

Last but not the least the person should have the excellent soft skill and a good team player.

2. DevSecops Engineer:



Role Overview
The Application DevSecOps Program is seeking a DevSecOps Security Engineer who will be responsible for executing comprehensive security scans, including but not limited to SAST, DAST, IAST, and ad-hoc penetration testing. The candidate will play a critical role in advancing the "Shift Left and Secure Early" initiative, ensuring security vulnerabilities are identified and mitigated early in the development lifecycle.

This role involves analyzing security vulnerabilities and providing remediation solutions by writing secure code, offering guidance to development teams, and coordinating with cross-functional teams across the platform.

Key Responsibilities

Hands-on experience in creating and implementing DevSecOps pipelines using CI/CD automation tools such as Jenkins, GitHub Actions, CheckmarxOne, BurpSuite, and other open-source security tools.

Implement and enforce Application Cyber Security Controls/Policies developed by the DevSecOps Program.

Perform security vulnerability demonstrations for application teams to help them understand the impact and remediation strategies.

Drive resolution of application security issues, collaborating with development and operations teams.

Provide clear, actionable guidance to application teams for effective vulnerability mitigation and secure coding practices.

Conduct comprehensive application security assessments using industry-standard security tools (SAST, SCA, DAST, PT, etc.).

Automate repetitive tasks using tools such as Postman, PowerShell, and Python scripting.

Create and maintain executive-level dashboards to track security metrics and assessments using PowerBI or similar reporting tools.

Categorize and recommend security assessment strategies for both existing and new application development projects.

Provide training and coaching to development and supplier teams on application security best practices and secure coding techniques.

Develop training material and conduct training sessions to improve security awareness across teams.

Skill-set Required

Hands-on experience in writing secure code in languages such as Java, JavaScript, Python, and .NET.

Proven experience running security scans, including SAST, SCA, DAST, and penetration testing (PT).

Deep understanding of the OWASP Top 10 vulnerabilities and mitigation strategies for each.

Solid background in application development, including working with compiled code, mobile applications, website design, and web services.

Proficient in programming, scripting, and query languages such as Java, SQL, HTML, JavaScript, Python, and PowerShell.

Familiarity with cloud security practices (AWS, Azure, or GCP) and container security (Docker, Kubernetes) is a plus.

At least 3-5 years of DevSecOps experience focused on application testing, security integration, and automation.

Preferred:Candidates with scripting experience in Python, Shell scripting, or other automation tools.

3.Vulnerability Assessment and Penetration Testing:

This role is responsible for providing strong security testing services to meet project requirements.
Solid competencies in information security processes, framework, and technologies, such as:Application Vulnerability Assessment, Penetration Testing, Ethical Hacking, OWASP Top 10, NIST, OSSTMM, OSINT etc.
Good understanding of core security mechanisms, crypto libraries, and server-side security.
Good understanding of supported frameworks and cleansers functions.
Ability to understand vulnerabilities, interact and explain security risks/ impact to teams.
Document vulnerabilities and collaborate with application team to help provide remediation.
Experience in tools Appscan, Burp Suite, Insomnia REST and opensource tools like kali Linux.
Adopt risk-based approach to translate technology risk into actual business impacts and prioritized actions.
Prepare and propose any security tools to facilitate qualitative security testing.
Ability to listen and articulate ideas verbally and in written formats to a broad range of audiences; ability to ask probing questions and deliver presentations that have impact.
Any security certifications are a plus. OSCP preferred.
Exposure to banking/ financial services domain is a plus.