T&T-Cyber-Strategy & Transformation- AM – VAPT

Job Title: Application Security SME

Location: Bangalore, India (Mandatory)

Company: Deloitte India

Job Type: Full-time

Experience: 4-7 

Best fit Roles:

Web Application Penetration Testing, API Testing, Network Penetration Testing Mobile Application Penetration Testing, Source Code Review, Thick Client Application Testing

Certifications: Certified Ethical Hacker (CEH), Certified Red Team Professional (CRTP), Certified AppSec Pentester (CAPen), Certified API Security Analyst (CASA), OffSec Certified Professional (OSCP)

Responsibilities

• Conduct end-to-end penetration tests on web applications, APIs, mobile applications, thick client applications, and network infrastructures to identify vulnerabilities.
• Collaborate on projects with defined objectives, ensuring timely and successful delivery.
• Analyze end-to-end application architectures and business logic for potential vulnerabilities.
• Prepare detailed reports documenting findings, risk levels, and recommendations for remediation, ensuring clarity for both technical and non-technical audiences.
• Perform in-depth source code reviews to detect security flaws and ensure compliance with secure coding standards.
• Leverage advanced penetration testing tools and frameworks to replicate real-world attack scenarios, ensuring comprehensive vulnerability identification.
• Execute cyber security assessments, including vulnerability assessments, penetration tests, and secure code reviews, both manually and using automated tools.
• Present findings and remediation strategies to clients, providing guidance on best practices and potential risks.
• Demonstrate understanding of core business processes and IT management practices to align security measures effectively.
• Contribute to the development of best practices and methodologies within the security team.

The Key Skills

• Expertise in penetration testing Web, Mobile application (both iOS and Android), API and SaaS application.
• In-depth understanding of API security vulnerabilities and proven experience in securing API. Experience in writing proof of concepts, exploits and performing in-depth exploitation is desired.

• Understanding of basic business and information technology management processes
• Must have in-depth knowledge of OWASP TOP 10/SANS25 best practices and cyber security guidelines.
• Must have detailed understanding of CIA Triads, Cryptography, Defense in Depth.
• Experience in Infrastructure Penetration Testing and Application Security Testing
• In-Depth understating of Risk, Threat, and Vulnerabilities.
• Experience in secure code review and expertise in tools like Checkmarx, SonarQube, Veracode will be preferred.
• Experience in conducting configuration reviews of Windows, Linux, UNIX, Solaris, Databases, etc.
• Should possess knowledge of vulnerability exploitation and exploit development.
• Experience in basic scripting such as: Shell, Python, etc.
• Good knowledge of protocols, security measures and Networks including Firewall, IDS/IPS, Routers, Switches, and network architecture.
• Familiarity with security principles and technologies.
• Expertise in performing Threat Modeling, generating security architectural requirements to software development and product teams.
• Expert knowledge of offensive security tools (e.g., Metasploit, Cobalt Strike, Burp Suite, Empire, etc.) and threat simulation frameworks.
• Strong understanding of TTPs used by cybercriminals and APT groups (MITRE ATTACK framework knowledge preferred).