H

SENIOR ENGINEER - Application Security

Happiest Minds Technologies · Pune Division, Maharashtra, India

~₹18L (est.)4–10 yrs experiencefull_timePosted 1w ago
Apply now →

Job description

**Job Role:** Engineer - Application Security & Penetration Testing **Location:** Mumbai or Ahmedabad (Client location) **Experience:** 3+ years of core experience in Application Security and Penetration Testing **Overview** We are seeking a dynamic, highly technical, and skilled professional to lead and deliver comprehensive application, API, and network security assessment services for enterprise-scale financial market infrastructure. This critical role involves managing dynamic and grey box testing methodologies, infrastructure vulnerability scanning, comprehensive report preparation, and remediation advisory processes. The ideal candidate ensures all assessments strictly adhere to stringent financial sector regulatory mandates, specifically SEBI cyber resilience guidelines and CERT-In frameworks, alongside OWASP and NIST standards, working closely with engineering and risk stakeholders to safeguard high-availability systems. **Key Responsibilities** Application Penetration Testing - Web App Testing: Conduct comprehensive grey box penetration testing for complex, high-throughput web applications, profiling attack surfaces using both automated and manual techniques. - Logic & Vulnerability Assessment: Identify deep business logic flaws, race conditions, and transactional vulnerabilities alongside standard OWASP risks. - Core Assessment Areas: Test and evaluate authentication, session management, multi-tier authorization mechanisms, client-side controls, access controls, encryption, and multi-tenant environments. - Risk Scoring: Document and provide detailed findings using the CVSS v3 scoring format, accompanied by tailored mitigation recommendations aligned with stringent financial-grade compliance. API Security Testing - Layered Testing: Conduct grey box API penetration testing covering presentation, security, discovery, access, and transport layers. - Vulnerability Detection: Test for API-specific flaws, including parameter tampering, malformed XML, SQL/XPath injection, broken object-level authorization (BOLA), replay attacks, and privilege escalation. - Specification Review: Assess security specifications including X.509, SAML, OAuth, and secure token implementations. Network Vulnerability Assessment - Infrastructure Scanning: Perform regular and comprehensive Network Vulnerability Assessments across critical enterprise infrastructure to meet regulatory baselines. - Tool Proficiency: Utilize Nessus Professional, Nmap, and other commercial/open-source tools for automated network scanning, configuration audits, and infrastructure vulnerability detection. - Risk Analysis: Analyze network scan results to eliminate false positives, contextualize perimeter risks, and evaluate network segmentation. Vulnerability Management, Report Preparation & Advisory - Report Preparation: Author detailed, high-quality technical assessment reports and executive summaries outlining discovered vulnerabilities, business impacts, and proof-of-concepts, formatted specifically to support rigorous audit readiness. - Remediation Consultation: Deliver expert guidance to development teams and system administrators to ensure effective, rapid mitigation of identified application and network flaws. - Validation & Retesting: Collaborate with stakeholders to validate findings, present technical accuracy reports, and conduct rigorous retests post-remediation to ensure timely risk closure and regulatory compliance verification. Compliance, Team Leadership & Stakeholder Collaboration - Regulatory Adherence: Ensure all testing methodologies, evidence collection, and reporting frameworks satisfy SEBI cyber security and cyber resilience mandates for market infrastructure institutions, as well as CERT-In directives. - Team Leadership: Lead, mentor, and motivate a team of security consultants, ensuring high-quality, audit-defensible project delivery. - Client Engagement: Act as the primary technical point of contact for internal and external stakeholders to discuss assessment findings, mitigations, and compliance-driven risk management strategies. **Required Skills & Qualifications** - Education: Bachelor?s degree in Computer Science, Information Security, or a related field. - Certifications: Relevant certifications (e.g., OSCP, CEH, GWAPT, CISSP) are highly desirable. - Regulatory Knowledge: Deep understanding of SEBI cybersecurity frameworks and CERT-In security testing mandates within the financial sector. - Technical Expertise: In-depth knowledge of application, API, and network security testing methodologies (OWASP Top 10, NIST SP 800-115). - Tooling: Proficient with Nessus Professional, Burp Suite, Nmap, and other core penetration testing utilities. - Environment Exposure: Experience with multi-tenant environments, thick clients, SOAP, WSDL, and XML-based services. - Advanced Vectors: Familiarity with content-level attacks, replay attacks, and advanced web server/infrastructure configurations. Professional Competencies - Analytical Mindset: Strong analytical, problem-solving, and troubleshooting capabilities under high-pressure scenarios. - Communication: Exceptional written and verbal communication skills in English, with a proven track record of clear, audit-ready report preparation. - Drive & Resilience: A proactive, dedicated, and innovative professional capable of managing end-to-end delivery of high-stakes security projects. - Collaboration: A strong team player who builds collaborative relationships with technology and risk teams to address security concerns proactively. Application Security, Burp Suite, Penetration Testing, OWASP Top 10