Senior Security Engineer

This role is for one of Weekday’s clients

Salary range: Rs 2500000 - Rs 5000000 (ie INR 25-50 LPA)

Min Experience: 8 years

Location: Chennai

JobType: full-time

Requirements

Key Responsibilities

Application Security Assessment & Testing

• Conduct comprehensive security assessments of microservices-based applications built with GoLang, Java, or Scala
• Perform security reviews of Vue.js and ReactJS frontend applications and their interaction with backend services
• Execute manual and automated web application penetration testing using industry-standard methodologies (OWASP Testing Guide, PTES)
• Conduct vulnerability scoring and risk assessment using CVSS framework and custom business impact metrics
• Utilize govulncheck for Go-specific vulnerability detection and dependency analysis in GoLang microservices
• Deploy Semgrep/OpenGrep for static code analysis across multiple programming languages and frameworks
• Integrate Gitleaks for automated secret detection and credential scanning in source code repositories
• Execute static application security testing (SAST) and dynamic application security testing (DAST) across the entire stack
• Conduct penetration testing and vulnerability assessments on payment processing applications and microservices
• Perform web application penetration testing including authentication bypass, authorization flaws, injection attacks, and business logic vulnerabilities
• Review and analyze code for security vulnerabilities with focus on microservices communication patterns and frontend security
• Assess API gateways, service meshes, and inter-service authentication mechanisms
• Implement and maintain automated security testing tools in CI/CD pipelines for both frontend and backend components

Secure Development Lifecycle (SDLC)

• Integrate security practices into the software development lifecycle
• Collaborate with development teams to implement secure coding practices
• Conduct security architecture reviews and threat modeling sessions
• Provide security requirements and guidelines for new application features
• Establish and maintain application security standards and best practices

Vulnerability Management

• Identify, prioritize, and track application security vulnerabilities across multiple technologies
• Implement comprehensive vulnerability scoring using CVSS v3.1, OWASP Risk Rating, and custom business impact assessments
• Develop risk scoring matrices that incorporate technical severity, business impact, and exploitability factors
• Utilize govulncheck for proactive Go vulnerability management and dependency tracking
• Deploy Gitleaks for continuous secret detection and credential exposure prevention
• Implement Semgrep/OpenGrep for custom vulnerability pattern detection and policy violations
• Create detailed penetration testing reports with executive summaries, technical findings, and remediation roadmaps
• Establish vulnerability SLA metrics and track remediation timelines based on risk scores
• Work with development teams to remediate identified security issues
• Maintain vulnerability management processes and ensure timely resolution
• Perform risk assessments and provide recommendations for vulnerability mitigation
• Monitor and respond to emerging application security threats
• Create and maintain security metrics and KPIs for vulnerability remediation

Security Tools & Automation

• Implement and manage application security scanning tools (SAST, DAST, IAST)
• Deploy govulncheck for continuous Go vulnerability monitoring in GoLang microservices
• Integrate Gitleaks for automated secret scanning across development workflows and CI/CD pipelines
• Configure Semgrep/OpenGrep rules for custom security pattern detection and policy enforcement
• Develop and maintain security automation scripts and tools
• Integrate security tools into development workflows and CI/CD pipelines
• Evaluate and recommend new application security technologies and solutions
• Create custom security rules and policies for language-specific vulnerabilities
• Automate security testing for containerized applications and microservices

Compliance & Documentation

• Ensure applications comply with financial industry regulations (PCI DSS, PSD2, etc.)
• Maintain security documentation, procedures, and incident response plans
• Support compliance audits and security assessments
• Create and deliver application security training for development teams

Required Qualifications

Experience

• 4+ years of experience in application security, with focus on web and mobile applications
• Strong experience securing microservices architectures, particularly those built with GoLang, Java, or Scala
• Hands-on experience with frontend security for modern JavaScript frameworks (Vue.js, ReactJS)
• Extensive experience in web application penetration testing including OWASP Top 10, business logic flaws, and authentication/authorization bypasses
• Proven expertise in vulnerability scoring and risk assessment using CVSS, OWASP Risk Rating, and custom scoring methodologies
• Proven experience with security automation tools: govulncheck (Go vulnerability scanning), Gitleaks (secret detection), Semgrep/OpenGrep (static analysis)
• Experience with application security testing tools (Burp Suite, OWASP ZAP, Veracode, Checkmarx, etc.)
• Hands-on experience with penetration testing and vulnerability assessment
• Experience with secure code review and static/dynamic analysis tools
• Knowledge of common web application vulnerabilities (OWASP Top 10) and microservices-specific security challenges

Technical Skills

• Proficiency in backend programming languages with strong focus on GoLang, Java, or Scala for microservices architecture
• Experience with frontend frameworks, particularly Vue.js and ReactJS for modern web applications
• Advanced proficiency with security tools: govulncheck (Go-specific vulnerability detection), Gitleaks (credential scanning), Semgrep/OpenGrep (multi-language static analysis)
• Expert-level web application penetration testing skills using tools like Burp Suite Professional, OWASP ZAP, Nuclei, and custom exploitation frameworks
• Comprehensive knowledge of vulnerability scoring frameworks including CVSS v3.1, OWASP Risk Rating Methodology, and FAIR (Factor Analysis of Information Risk)
• Experience with automated penetration testing tools and frameworks for continuous security validation
• Strong understanding of microservices security patterns and inter-service communication
• Experience with API security testing and assessment (REST, GraphQL, gRPC)
• Knowledge of mobile application security (iOS/Android)
• Familiarity with cloud security (AWS, Azure, GCP)
• Understanding of database security and secure data handling
• Experience with containerized applications and orchestration platforms

Security Knowledge

• Deep understanding of application security principles and best practices
• Expert knowledge of web application penetration testing methodologies (OWASP Testing Guide, PTES, NIST SP 800-115)
• Advanced understanding of vulnerability scoring and risk quantification using industry-standard frameworks
• Knowledge of security frameworks and standards (OWASP, NIST, ISO 27001)
• Experience with threat modeling and risk assessment methodologies
• Understanding of cryptography and secure communication protocols
• Knowledge of authentication and authorization mechanisms
• Expertise in manual testing techniques for complex business logic vulnerabilities
• Experience with penetration testing reporting and executive communication of security risks

Nice To Have

Certifications

• Relevant security certifications (CISSP, CEH, CSSLP, GWEB, OSCP)
• Cloud security certifications (AWS Security, Azure Security)

Additional Skills

• Experience with DevSecOps practices and tools
• Advanced proficiency in securing distributed microservices ecosystems
• Experience with modern frontend build tools and security (Webpack, Vite, npm/yarn security)
• Expertise in Go ecosystem security including govulncheck integration and dependency management
• Advanced configuration and customization of Semgrep/OpenGrep rules for organization-specific security policies
• Experience with Gitleaks integration across multiple Git workflows and CI/CD platforms
• Advanced web application penetration testing including thick client applications and complex multi-tier architectures
• Experience with custom exploit development and proof-of-concept creation for business logic vulnerabilities
• Expertise in creating comprehensive risk scoring models that align technical findings with business impact
• Knowledge of container security (Docker, Kubernetes)
• Experience with financial services and payment processing security
• Familiarity with regulatory compliance (PCI DSS, GDPR, PSD2)
• Experience with bug bounty programs and responsible disclosure
• Knowledge of machine learning/AI security
• Experience with service mesh security (Istio, Linkerd) and API gateway security

Key Abilities and Traits

• Technical Excellence: Demonstrated ability to identify and remediate complex application security vulnerabilities across diverse technology stacks.
• Collaboration: Strong ability to work effectively with development teams, translating security requirements into actionable development practices.
• Communication: Excellent verbal and written communication skills, capable of explaining security concepts to both technical and business stakeholders.
• Problem-Solving: Strong analytical and problem-solving skills with the ability to think like both a defender and an attacker.
• Continuous Learning: Commitment to staying current with emerging application security threats, tools, and best practices.
• Detail-Oriented: Meticulous attention to detail when reviewing code and assessing application security.
• Project Management: Ability to manage multiple security assessments and projects simultaneously while meeting deadlines