Role - Application Security Engineer

Experience - 4+Yrs

Location - Bangalore

Key Responsibilities

Internal VAPT & Security Testing

● Execute internal VAPT on web applications, APIs, and React Native mobile applications, focusing on real-world attack paths.

● Perform authenticated and authorization-focused testing, including BOLA/IDOR, broken access control, and session abuse.

● Validate scanner results and provide reproducible evidence such as PoCs, request/response traces, and impact narratives.

DAST Program Support

● Improve DAST scanning reliability and signal quality by managing scope definition, scan profiles, and false positives.

● Produce verified, developer-actionable outputs for the monthly DAST cadence.

● Maintain stable test credentials and safe scanning practices for Tier-0/Tier-1 applications in coordination with the DAST owner.

Secure SDLC & DevSecOps Enablement

● Support security checks integrated into GitHub Actions, including secrets scanning and dependency hygiene.

● Provide practical remediation guidance and secure coding recommendations for Node/React/Next and API services.

● Develop reusable developer guidance, such as secure patterns and verification scripts, to reduce vulnerability recurrence.

Triage, Verification & Mobile Security

● Triage findings from SAST, SCA, and DAST sources to ensure high-confidence issues reach engineering.

● Verify fixes and ensure closure quality for high-risk issues.

● Perform mobile security testing, including API endpoint discovery, secure storage assessments, and deep link validation.

External VAPT & Bug Bounty Support

● Prepare scope, test accounts, and validation assistance for external VAPT execution.

● Assist in retest verification for external findings.

● Support bug bounty readiness through triage playbooks and severity assessment guidance.

Qualifications & Experience

● Education: Bachelor’s degree in Computer Science, Cybersecurity, Information Security,

or equivalent practical experience.

● Experience: 3–5+ years in application security, product security, or penetration testing with strong hands-on skills.

● Technical Testing: Demonstrated experience in web application and API security testing; mobile security experience is strongly preferred.

● Tooling: Proficiency with at least two of the following: Accunetix, Burp Suite, OWASP

ZAP, SonarQube (or other SAST tools), dependency scanning, or secrets scanning tools.

Technical Knowledge & Skills

● Deep understanding of OWASP Top 10 and API security risks (BOLA/IDOR, mass assignment, rate-limit abuse).

● Strong grasp of authentication and authorization models, including JWT, OIDC, and session handling.

● Working knowledge of DevSecOps practices and embedding security testing into CI workflows (GitHub Actions).

● Ability to build reproducible proofs and utilize scripting (Python/Node) for light automation.

● Familiarity with Cloudflare WAF/API Shield and API gateway architectures (Kong/AWS

API Gateway) is a plus.