E

Lead Assistant Manager - Application Security

EXL Service · Uttar Pradesh, India

~₹22L (est.)8–15 yrs experiencefull_timePosted 3w ago
Apply now →

Job description

**Job Description: Key Responsibilities** **Application Security Testing** - Conduct manual and tool-assisted web application penetration testing (OWASP Top 10, business logic flaws, API vulnerabilities). - Perform mobile application security assessments for Android and iOS (static & dynamic analysis, reverse engineering, OWASP MASVS/MSTG). - Execute source code security reviews—both SAST-assisted and manual—across languages such as Java, Python, JavaScript/TypeScript, and others. - Participate in grey-box assessments and targeted red-team exercises against internal and client-facing applications. **DevSecOps Integration** - Integrate and operate SAST, DAST, SCA, and container security tools within CI/CD pipelines (Jenkins, GitHub Actions). - Configure and tune security tooling to reduce false positives and enforce actionable pipeline quality gates. - Support IaC security reviews (Terraform, CloudFormation) and secrets management practices. - Collaborate with platform engineering to embed security controls in build and deployment workflows. **Vulnerability Management & Remediation** - Triage, prioritise, and track vulnerabilities from discovery through verified closure. - Produce clear, developer-friendly reports with reproducibility steps, severity ratings, and remediation guidance. - Support development teams in understanding and fixing identified issues; re-test post-remediation. - Maintain internal vulnerability registers and risk-tracking artefacts. **Secure SDLC** - Assist in threat modelling and secure design reviews for new features and services. - Promote secure coding standards and OWASP best practices across development teams. - Contribute to security champions programmes and developer awareness initiatives. - Assist in securing AI/GenAI applications and APIs following defined security patterns. **Responsibilities: Key Responsibilities** **Application Security Testing** - Conduct manual and tool-assisted web application penetration testing (OWASP Top 10, business logic flaws, API vulnerabilities). - Perform mobile application security assessments for Android and iOS (static & dynamic analysis, reverse engineering, OWASP MASVS/MSTG). - Execute source code security reviews—both SAST-assisted and manual—across languages such as Java, Python, JavaScript/TypeScript, and others. - Participate in grey-box assessments and targeted red-team exercises against internal and client-facing applications. **DevSecOps Integration** - Integrate and operate SAST, DAST, SCA, and container security tools within CI/CD pipelines (Jenkins, GitHub Actions). - Configure and tune security tooling to reduce false positives and enforce actionable pipeline quality gates. - Support IaC security reviews (Terraform, CloudFormation) and secrets management practices. - Collaborate with platform engineering to embed security controls in build and deployment workflows. **Vulnerability Management & Remediation** - Triage, prioritise, and track vulnerabilities from discovery through verified closure. - Produce clear, developer-friendly reports with reproducibility steps, severity ratings, and remediation guidance. - Support development teams in understanding and fixing identified issues; re-test post-remediation. - Maintain internal vulnerability registers and risk-tracking artefacts. **Secure SDLC** - Assist in threat modelling and secure design reviews for new features and services. - Promote secure coding standards and OWASP best practices across development teams. - Contribute to security champions programmes and developer awareness initiatives. - Assist in securing AI/GenAI applications and APIs following defined security patterns. - **Qualifications: Skills & Qualifications** **Non-Negotiable – Must Have** - 3–5+ years of hands-on experience in application security, penetration testing, or a closely related security engineering role. - Demonstrated web application penetration testing proficiency (Burp Suite Pro, OWASP methodology, manual exploitation). - Proven mobile application security testing experience for Android and/or iOS (MobSF, Frida, objection, drozer, APK/IPA analysis). - Practical source code review capability—ability to identify security defects through manual inspection and SAST tooling (Semgrep, SonarQube, Checkmarx, Veracode). - Familiarity with DevSecOps pipelines and security tool integration (SAST/DAST/SCA in CI/CD). - Solid understanding of vulnerability classes: injection, authentication flaws, IDOR, XXE, SSRF, deserialization, cryptographic weaknesses. - Scripting/automation capability for security tasks (Python, Bash, or equivalent). **Good to Have** - Certifications: eWPTX (eLearnSecurity), OSCP (Offensive Security), CEH, GWEB, GWAPT, or equivalent offensive security credentials. - Exposure to cloud security fundamentals (AWS/Azure/GCP—IAM, security groups, logging). - Knowledge of AI/GenAI security risks (OWASP LLM Top 10, prompt injection, model abuse). - Experience with API security testing (REST, GraphQL, gRPC). - Familiarity with compliance frameworks: OWASP ASVS, NIST, ISO 27001, PCI-DSS. **Qualifications** - Bachelor’s degree in Computer Science, Information Security, Engineering, or equivalent practical experience. - 3–5+ years of relevant experience in application security, penetration testing, or DevSecOps. - Offensive security certifications (eWPTX, OSCP, GWAPT, CEH, or equivalent) are a strong plus.