Core Responsibilities

• Security in SDLC
• Incorporate security controls and standards into all phases of the software development lifecycle (SDLC).
• Collaborate with developers to adopt secure coding practices, including OWASP compliance.
• Conduct threat modeling and evaluate design documents to identify security vulnerabilities.
• Establish security requirements and acceptance criteria for application development projects.

DevSecOps Automation

• Design and implement security automation within CI/CD workflows using tools for SAST, DAST, IAST, SCA and compliance monitoring.
• Develop custom security testing frameworks compatible with agile and DevSecOps models.
• Conduct infrastructure-as-code (IaC) configuration checks and enforce compliance policies.
• Automate secrets scanning, credential hygiene practices, and dependency vulnerability reviews.

Application Security Testing

• Execute static (SAST) and dynamic (DAST) application security assessments.
• Perform manual penetration testing and secure code reviews to detect risks.
• Analyze application dependencies and third-party components, ensuring vulnerability remediation.
• Validate security fixes via rigorous regression testing and secure deployment methods.

Security Training and Awareness

• Prepare training initiatives for developers on secure coding practices, application security principles, and DevSecOps workflows.
• Create and disseminate security documentation, guidelines, and playbooks for developers and architects.
• Mentor engineers to adopt security-first product development and incident prevention strategies.
• Establish and support developer security champion programmes within agile teams.

Cloud and Container Security

• Implement robust security controls for containerized workloads in Docker, Kubernetes, and similar platforms.
• Design and secure API endpoints and microservices architectures.
• Leverage cloud security services on AWS, Azure, or GCP to deliver secure, scalable solutions.
• Advocate for best practices in secret management, repository vaulting, and cloud-native application monitoring.

Required Qualifications

• Technical Skills
• Proficiency in multiple programming languages (e.g., Java, Python, JavaScript, Go, .NET).
• Extensive experience deploying application security tools like SonarQube, Checkmarx, Veracode, OWASP ZAP.
• Expertise in CI/CD tools and platforms (e.g., Jenkins, GitHub Actions, Azure DevOps).
• Solid understanding of container orchestration technologies (e.g., Kubernetes, Docker).
• Familiarity with cloud platforms (AWS, Azure, GCP) and IaC assessment tools (Terraform, CloudFormation).

Security Expertise

• Advanced knowledge of the OWASP Top 10 vulnerabilities, secure coding techniques, and cryptographic best practices.
• Proficiency in API security testing and securing microservices.
• Hands-on involvement in framework-based security compliance efforts (ISO 27001, GDPR, SOC 2).