Lead II-Software Security Tester (Penetration, Application Security, Vulnerability, OWASP)- TVM/BLR
Indexed description
Experience
10+ years in Penetration Testing, Web Application Security, API Security, and Vulnerability Assessment (mandatory) along with experience in DevSecOps / DevOps / Security Engineering in a lead capacity
Mandatory Skills
- Penetration Testing (Web & API)
- Web Application Security
- API Security Testing
- Vulnerability Assessment & Management
- Perform end-to-end security testing including web apps, APIs, and infrastructure
- Identify, triage, and remediate vulnerabilities across applications and environments
- Lead security assessments and provide actionable risk insights
- Integrate security practices into CI/CD pipelines and SDLC
- Define secure coding standards and enforce security best practices
- Collaborate with development, DevOps, and platform teams to improve security posture
- CI/CD pipeline security (GitLab CI/CD preferred)
- SAST (Semgrep), DAST (Burp Suite, OWASP ZAP)
- SCA & SBOM (Dependency-Track, CycloneDX/CDXGen)
- Secrets scanning (Detect-Secrets) & Secrets management (HashiCorp Vault)
- Container & image scanning (Trivy); Docker & Kubernetes security
- Vulnerability management platforms (DefectDojo) and Infra scanning (Qualys)
- Observability & security monitoring (Datadog)
- Sensitive data detection & log redaction (Datadog SDS)
- Code quality tools (SonarQube)
- IaC security (Terraform)
- Client-side security (SourceDefense)
- Automated dependency management (Dependabot / Renovate)
- OWASP Top 10, CVSS, CWE, ASVS
- Secure SDLC practices
- Security governance, policy creation & compliance
- Strong leadership and stakeholder communication
- Ability to define security policies and release criteria
- Experience mentoring junior engineers
- Min 10-13yrs years’ experience in Dev SecOps or DevOps along with Application Security, or Security Engineering, with lead-level experience
- Expert-level CI/CD pipeline engineering — building, configuring, and optimising end-to-end ssecurity-integrated pipelines (any major CI/CD platform; GitLab CI/CD preferred)
- SAST — hands-on experience implementing and tuning static analysis tools (Semgrep preferred)
- DAST — proficiency with dynamic application security testing tools (Burp Suite and OWASP ZAP preferred)
- SCA & SBOM — experience with software composition analysis and SBOM generation/tracking (Dependency-Track, CycloneDX/CDXGen preferred)
- Secrets scanning — experience with secrets detection tools integrated into CI pipelines (Detect-Secrets preferred)
- Container & image scanning — experience with container security scanning tools (Trivy preferred)
- Vulnerability management platforms — operating centralised vulnerability aggregation and tracking platforms, managing triage, deduplication, false positive handling, and severity-based SLAs (DefectDojo preferred)
- Secrets management — experience with vault-based secrets management, rotation policies, and least-privilege enforcement (HashiCorp Vault preferred)
- Observability & security monitoring — experience with observability platforms for security log monitoring, ing, and dashboarding (Datadog preferred)
- Sensitive data detection — hands-on experience with PII detection and redaction in application logs across production and non-production environments (Datadog Sensitive Data Scanner / SDS preferred)
- Client-side security — experience with client-side web script monitoring and protection tools (SourceDefense preferred)
- Automated dependency management — experience with automated dependency update tools, including MR review and pipeline failure triage (Dependabot or Renovate preferred)
- Infrastructure scanning — experience with infrastructure vulnerability scanning tools (Qualys preferred)
- Code quality — experience with code quality and static analysis platforms (SonarQube preferred)
- Infrastructure as Code — experience managing security configurations through IaC tools (Terraform preferred)
- Container & cloud security — strong knowledge of Docker, Kubernetes, and securing containerised workloads
- Security standards expertise — deep understanding of OWASP Top 10, CVSS scoring, CWE classification, ASVS, and secure SDLC practices
- Governance & process design — proven ability to define security policies, release criteria, RBAC models, and audit-ready documentation
- Leadership & communication — ability to influence engineering teams, present security risk assessments to stakeholders, and mentor junior security engineers
Create a free Caio profile to unlock more results and save your role and location preferences.
Unlock free search