Job Title: Application Security SME
Location: Bangalore, India (Mandatory)
Company: Deloitte India
Job Type: Full-time
Experience: 4-7
Best fit Roles:
Web Application Penetration Testing, API Testing, Network Penetration Testing Mobile Application Penetration Testing, Source Code Review, Thick Client Application Testing
Certifications: Certified Ethical Hacker (CEH), Certified Red Team Professional (CRTP), Certified AppSec Pentester (CAPen), Certified API Security Analyst (CASA), OffSec Certified Professional (OSCP)
Responsibilities
- Conduct end-to-end penetration tests on web applications, APIs, mobile applications, thick client applications, and network infrastructures to identify vulnerabilities.
- Collaborate on projects with defined objectives, ensuring timely and successful delivery.
- Analyze end-to-end application architectures and business logic for potential vulnerabilities.
- Prepare detailed reports documenting findings, risk levels, and recommendations for remediation, ensuring clarity for both technical and non-technical audiences.
- Perform in-depth source code reviews to detect security flaws and ensure compliance with secure coding standards.
- Leverage advanced penetration testing tools and frameworks to replicate real-world attack scenarios, ensuring comprehensive vulnerability identification.
- Execute cyber security assessments, including vulnerability assessments, penetration tests, and secure code reviews, both manually and using automated tools.
- Present findings and remediation strategies to clients, providing guidance on best practices and potential risks.
- Demonstrate understanding of core business processes and IT management practices to align security measures effectively.
- Contribute to the development of best practices and methodologies within the security team.
The Key Skills
- Expertise in penetration testing Web, Mobile application (both iOS and Android), API and SaaS application.
- In-depth understanding of API security vulnerabilities and proven experience in securing API. Experience in writing proof of concepts, exploits and performing in-depth exploitation is desired.
- Understanding of basic business and information technology management processes
- Must have in-depth knowledge of OWASP TOP 10/SANS25 best practices and cyber security guidelines.
- Must have detailed understanding of CIA Triads, Cryptography, Defense in Depth.
- Experience in Infrastructure Penetration Testing and Application Security Testing
- In-Depth understating of Risk, Threat, and Vulnerabilities.
- Experience in secure code review and expertise in tools like Checkmarx, SonarQube, Veracode will be preferred.
- Experience in conducting configuration reviews of Windows, Linux, UNIX, Solaris, Databases, etc.
- Should possess knowledge of vulnerability exploitation and exploit development.
- Experience in basic scripting such as: Shell, Python, etc.
- Good knowledge of protocols, security measures and Networks including Firewall, IDS/IPS, Routers, Switches, and network architecture.
- Familiarity with security principles and technologies.
- Expertise in performing Threat Modeling, generating security architectural requirements to software development and product teams.
- Expert knowledge of offensive security tools (e.g., Metasploit, Cobalt Strike, Burp Suite, Empire, etc.) and threat simulation frameworks.
- Strong understanding of TTPs used by cybercriminals and APT groups (MITRE ATTACK framework knowledge preferred).