We are seeking a seasoned Security Testing Engineer with 5–8 years of experience in application and infrastructure security testing. The ideal candidate will be responsible for identifying vulnerabilities, strengthening security posture, and ensuring compliance with secure development practices across systems.
The Senior Security Testing Engineer will lead the identification of security risks across web, mobile, API and cloud infrastructures. You will be responsible for defining the security testing strategy, mentoring junior testers, and ensuring that security is not an afterthought but a core component of the development pipeline.
1. Core Security Testing & Assessment
Web & API Penetration Testing: Perform advanced manual and automated security testing of web applications and REST/SOAP APIs.
Mobile Security: Conduct security assessments for iOS and Android platforms, including binary analysis and traffic interception.
Vulnerability Management: Manage the end-to-end lifecycle of vulnerabilities, from discovery and risk-rating (using CVSS) to remediation verification.
Network Pentesting: Assess internal and external network security, including wireless and cloud-native configurations.
2. DevSecOps & Automation
Pipeline Integration: Integrate SAST (Static), DAST (Dynamic), and SCA (Software Composition Analysis) tools into CI/CD pipelines (e.g., Jenkins, GitLab, Azure DevOps).
Tool Customization: Develop custom scripts (Python, Bash, or PowerShell) to automate repetitive security checks or to bridge gaps between security tools.
3. Strategy & Compliance
Security Architecture Review: Participate in design reviews to identify architectural security flaws before code is written.
Compliance Alignment: Ensure testing methodologies align with global standards such as OWASP Top 10 (Injection, XSS, CSRF, etc.), SANS Top 25, NIST, and ISO 27001.
Reporting: Translate technical findings into risk-based executive summaries for stakeholders and detailed technical reports for developers.
CategorySkills / Tools
Methodologies: OWASP (Web/Mobile/API), PTES, OSSTMM.
Dynamic Tools: Burp Suite Professional, OWASP ZAP, Acunetix, Netsparker.
Static Analysis: Checkmarx, Fortify, SonarQube, Snyk.
Infrastructure: Nmap, Metasploit, Nessus, Qualys, Kali Linux.
Cloud Security: Experience with AWS (Inspector, GuardDuty), Azure (Defender for Cloud), or GCP security suites.
Languages: Proficiency in Python, Java, or JavaScript (for exploit development and code review).
B.Tech/B.E. in Computer Science, Information Technology, or a related field. Masters in Cybersecurity is a plus.