Create Alert
Email me similar jobs

Application Security Engineer (AppSec) – DevSecOps

Full-time

Role: SR. SECOPS & APPSEC LEAD

Experience: 5-8 years

Location: Noida


JD:

Role Overview

We are looking for a Sr. SecOps & AppSec Lead to own and drive security operations across the entire product lifecycle — from code commit through build, deployment, and production. You will manage our security scanning pipeline (Veracode, SonarQube, Trivy), identify and remediate vulnerabilities in application code and open-source dependencies, upgrade libraries to eliminate known CVEs, and work hands-on to fix application security issues alongside development teams.

This role blends application security engineering with DevOps pipeline management. You will not just report vulnerabilities — you will reproduce them, assess their real-world exploitability in our context, and either fix them yourself or guide developers through remediation. You will also own CI/CD pipeline health, ensuring security gates are embedded into every build without becoming a bottleneck. Additionally, you will lead 1–2 junior engineers, building a small but effective security operations practice.

Key Responsibilities

Security Scanning & Pipeline Management

• Own and manage the end-to-end security scanning pipeline: SAST (Veracode, SonarQube), SCA (Veracode SCA / Snyk / OWASP Dependency-Check), and container image scanning (Trivy)

• Configure, tune, and maintain scanning policies — reduce false positives, set severity thresholds, and define quality gates that block vulnerable builds from promotion

• Integrate security scans seamlessly into CI/CD pipelines (Git runner/GitLab CI) so that every pull request and release build is automatically validated without slowing developer velocity

• Maintain dashboards and reporting on vulnerability trends, scan coverage, mean-time-to-remediate (MTTR), and open risk posture across the product portfolio

• Evaluate and onboard new security tools as the threat landscape and technology stack evolve

Vulnerability Identification, Reproduction & Remediation

• Triage vulnerability findings from SAST/SCA/container scans — assess real-world exploitability in the context of the our platform, not just CVSS scores

• Reproduce open-source and third-party library vulnerabilities in controlled environments to validate their impact and determine whether the vulnerable code path is actually reachable in our product

• Hands-on fix application security issues: SQL injection, XSS, CSRF, insecure deserialization, broken authentication, SSRF, path traversal, and other OWASP Top 10 vulnerabilities in the application codebase

• Plan and execute library upgrades to remediate known CVEs in open-source dependencies — assess compatibility impact, coordinate with development teams, and validate that upgrades do not introduce regressions

• Manage a vulnerability backlog with clear prioritization (critical/high exploitable vs. low-risk theoretical), SLA tracking, and regular reporting to engineering leadership

Application Security Engineering

• Conduct security code reviews for high-risk features: authentication/authorization flows, API security, data encryption, secrets management, and inter-module communication (API/MQ)

• Define and enforce secure coding standards and guidelines for the development teams, covering input validation, output encoding, parameterized queries, secure session management, and cryptographic practices

• Perform or coordinate DAST (Dynamic Application Security Testing) and periodic penetration testing, managing findings through to closure

• Review and harden Kubernetes deployment configurations: pod security policies/standards, network policies, RBAC, secrets management (Vault/Sealed Secrets), and container runtime security

• Ensure secure handling of sensitive financial data in transit and at rest, aligned with client security requirements and regulatory expectations

CI/CD Pipeline Ownership & DevOps

• Co-own CI/CD pipeline infrastructure (Git runner/GitLab CI): build pipeline optimization, artifact management, deployment automation, and environment provisioning

• Implement and maintain infrastructure-as-code for security tooling (Terraform/Helm charts for scanning infrastructure, policy-as-code for compliance checks)

• Manage Docker image lifecycle: base image hardening, image scanning in registries, tag governance, and ensuring minimal-footprint production images

• Automate security compliance checks: license scanning for open-source dependencies, secrets detection in code repositories (GitLeaks/TruffleHog), and configuration drift detection

• Support deployment pipelines for Kubernetes environments: Helm chart security, admission controllers, and runtime protection integration

Compliance, Audit & Governance

• Support compliance efforts (SOC 2, ISO 27001, or client-specific security assessments) by providing evidence of security controls, scan reports, and remediation records

• Coordinate with external penetration testing firms: scope definition, environment preparation, finding triage, and remediation tracking

• Maintain security documentation: threat models, security architecture diagrams, incident response runbooks, and vulnerability management procedures

• Produce regular security posture reports for engineering leadership and client-facing teams, translating technical findings into business risk language

Team Leadership & Security Culture

• Lead, mentor, and develop 1–2 junior SecOps/AppSec engineers, establishing workflows, review processes, and growth paths

• Drive a security-aware culture across engineering: conduct threat modeling workshops, secure coding training sessions, and brown-bag presentations on real-world vulnerabilities

• Create and maintain internal security knowledge base: remediation playbooks, common vulnerability patterns in the codebase, and library upgrade guides

Similar jobs

Application Security Engineer (AppSec) – DevSecOps

Apply On Company Site
Back to search page