1.Application Security Engineer

Mandatory skills:

8-10-years of manual penetration testing experience(Mobile, Web application , Web services, API)

Manual pen test experience on mobile application at least 20+ apps. T he ability to notice "odd" behavior and able to take the initiative to investigate it.

Manual Web application and Web Services, API experience more then 300+ Applications.

Very good in reporting as per the best practices.

Person should know the vulnerability and the remediation in depth so that he can suggest the same to all the stakeholders.

Expert in Burp Suite tool.

Technical Skills:

• Knowledge of how to put into practice the OWASP Security Testing Standard.
• Fair understanding of testing the applications behind the Web Application Firewall and the evasion techniques.
• Good pen testers have the drive to keep digging and enjoy solving puzzles.
• Tools and procedures can be learned, but the "knack" or "hacker gene" is something that the person must have developed on their own or they will never be a top-level tester.
• As far as tools, the baseline is the same as web app pen testing, e.g., Kali, Burp, Python, Wireshark, radar, etc.
• For mobile app specific tools, there's Frida, MARA, Cydia, and others - there are multiple platforms that can accomplish the same thing, so to an extent it's the tester's preferences.
• In addition to the basic scripting skills necessary for most pen testing, a mobile pen tester should have experience with Java and Objective-C as those are the main languages for app development, as well as JavaScript since that's how Frida interactions are done (as mini-JS scripts to control the app and hook function calls).
• Ideally a tester will have experience as a mobile app developer, since it's easier to understand the disassembly of an app if you understand how it was put together in the first place.
• A good understanding of jailbreaking, certificate management, and MITM operations are also necessary since natively the mobile application and the device will not allow MITM.
• Banking and financial domain experience would be addon to the existing skillsets.
• Last but not the least the person should have the excellent soft skill and a good team player.

• Hands-on experience in creating and implementing DevSecOps pipelines using CI/CD automation tools such as Jenkins, GitHub Actions, CheckmarxOne, BurpSuite, and other open-source security tools.
• Implement and enforce Application Cyber Security Controls/Policies developed by the DevSecOps Program.
• Perform security vulnerability demonstrations for application teams to help them understand the impact and remediation strategies.
• Drive resolution of application security issues, collaborating with development and operations teams.
• Provide clear, actionable guidance to application teams for effective vulnerability mitigation and secure coding practices.
• Conduct comprehensive application security assessments using industry-standard security tools (SAST, SCA, DAST, PT, etc.).
• Automate repetitive tasks using tools such as Postman, PowerShell, and Python scripting.
• Create and maintain executive-level dashboards to track security metrics and assessments using PowerBI or similar reporting tools.
• Categorize and recommend security assessment strategies for both existing and new application development projects.
• Provide training and coaching to development and supplier teams on application security best practices and secure coding techniques.
• Develop training material and conduct training sessions to improve security awareness across teams.

• Hands-on experience in writing secure code in languages such as Java, JavaScript, Python, and .NET.
• Proven experience running security scans, including SAST, SCA, DAST, and penetration testing (PT).
• Deep understanding of the OWASP Top 10 vulnerabilities and mitigation strategies for each.
• Solid background in application development, including working with compiled code, mobile applications, website design, and web services.
• Proficient in programming, scripting, and query languages such as Java, SQL, HTML, JavaScript, Python, and PowerShell.
• Familiarity with cloud security practices (AWS, Azure, or GCP) and container security (Docker, Kubernetes) is a plus.
• At least 3-5 years of DevSecOps experience focused on application testing, security integration, and automation.
• Preferred: Candidates with scripting experience in Python, Shell scripting, or other automation tools.