Back to search
NeoXam Linkedin · Posted 6d ago

Senior SecOps & AppSec Lead - Noida

India

Linkedin
Continue to application Add your email once, then Caio opens the original posting.

Indexed description

  • Department Engineering
  • Reports To Director Engineering
  • Team Size 1–2 Direct Reports
  • Scope - AppSec + DevSecOps

Role Overview

We are looking for a Sr. SecOps & AppSec Lead to own and drive security operations across the entire product lifecycle — from code commit through build, deployment, and production. You will manage our security scanning pipeline (Veracode, SonarQube, Trivy), identify and remediate vulnerabilities in application code and open-source dependencies, upgrade libraries to eliminate known CVEs, and work hands-on to fix application security issues alongside development teams.

This role blends application security engineering with DevOps pipeline management. You will not just report vulnerabilities — you will reproduce them, assess their real-world exploitability in our context, and either fix them yourself or guide developers through remediation. You will also own CI/CD pipeline health, ensuring security gates are embedded into every build without becoming a bottleneck. Additionally, you will lead 1–2 junior engineers, building a small but effective security operations practice.

Key Responsibilities

Security Scanning & Pipeline Management

  • Own and manage the end-to-end security scanning pipeline: SAST (Veracode, SonarQube), SCA (Veracode SCA / Snyk / OWASP Dependency-Check), and container image scanning (Trivy)
  • Configure, tune, and maintain scanning policies — reduce false positives, set severity thresholds, and define quality gates that block vulnerable builds from promotion
  • Integrate security scans seamlessly into CI/CD pipelines (Git runner/GitLab CI) so that every pull request and release build is automatically validated without slowing developer velocity
  • Maintain dashboards and reporting on vulnerability trends, scan coverage, mean-time-to-remediate (MTTR), and open risk posture across the product portfolio
  • Evaluate and onboard new security tools as the threat landscape and technology stack evolve

Vulnerability Identification, Reproduction & Remediation

  • Triage vulnerability findings from SAST/SCA/container scans — assess real-world exploitability in the context of the our platform, not just CVSS scores
  • Reproduce open-source and third-party library vulnerabilities in controlled environments to validate their impact and determine whether the vulnerable code path is actually reachable in our product
  • Hands-on fix application security issues: SQL injection, XSS, CSRF, insecure deserialization, broken authentication, SSRF, path traversal, and other OWASP Top 10 vulnerabilities in the application codebase
  • Plan and execute library upgrades to remediate known CVEs in open-source dependencies — assess compatibility impact, coordinate with development teams, and validate that upgrades do not introduce regressions
  • Manage a vulnerability backlog with clear prioritization (critical/high exploitable vs. low-risk theoretical), SLA tracking, and regular reporting to engineering leadership

Application Security Engineering

  • Conduct security code reviews for high-risk features: authentication/authorization flows, API security, data encryption, secrets management, and inter-module communication (API/MQ)
  • Define and enforce secure coding standards and guidelines for the development teams, covering input validation, output encoding, parameterized queries, secure session management, and cryptographic practices
  • Perform or coordinate DAST (Dynamic Application Security Testing) and periodic penetration testing, managing findings through to closure
  • Review and harden Kubernetes deployment configurations: pod security policies/standards, network policies, RBAC, secrets management (Vault/Sealed Secrets), and container runtime security
  • Ensure secure handling of sensitive financial data in transit and at rest, aligned with client security requirements and regulatory expectations

CI/CD Pipeline Ownership & DevOps

  • Co-own CI/CD pipeline infrastructure (Git runner/GitLab CI): build pipeline optimization, artifact management, deployment automation, and environment provisioning
  • Implement and maintain infrastructure-as-code for security tooling (Terraform/Helm charts for scanning infrastructure, policy-as-code for compliance checks)
  • Manage Docker image lifecycle: base image hardening, image scanning in registries, tag governance, and ensuring minimal-footprint production images
  • Automate security compliance checks: license scanning for open-source dependencies, secrets detection in code repositories (GitLeaks/TruffleHog), and configuration drift detection
  • Support deployment pipelines for Kubernetes environments: Helm chart security, admission controllers, and runtime protection integration

Compliance, Audit & Governance

  • Support compliance efforts (SOC 2, ISO 27001, or client-specific security assessments) by providing evidence of security controls, scan reports, and remediation records
  • Coordinate with external penetration testing firms: scope definition, environment preparation, finding triage, and remediation tracking
  • Maintain security documentation: threat models, security architecture diagrams, incident response runbooks, and vulnerability management procedures
  • Produce regular security posture reports for engineering leadership and client-facing teams, translating technical findings into business risk language

Team Leadership & Security Culture

  • Lead, mentor, and develop 1–2 junior SecOps/AppSec engineers, establishing workflows, review processes, and growth paths
  • Drive a security-aware culture across engineering: conduct threat modeling workshops, secure coding training sessions, and brown-bag presentations on real-world vulnerabilities
  • Create and maintain internal security knowledge base: remediation playbooks, common vulnerability patterns in the codebase, and library upgrade guides

Required Qualifications

  • 5–8 years of hands-on experience in application security, SecOps, or DevSecOps for enterprise software products
  • Strong experience with SAST tools (Veracode and/or SonarQube): policy configuration, scan management, false positive tuning, and developer-facing remediation guidance
  • Hands-on experience with SCA (Software Composition Analysis): identifying vulnerable open-source libraries, assessing exploitability, planning and executing library upgrades across large codebases
  • Experience with container security scanning (Trivy, Aqua, or Prisma Cloud) and Docker image hardening best practices
  • Proven ability to reproduce and fix application-level vulnerabilities (OWASP Top 10) in production codebases — not just scan and report, but actively remediate
  • Strong CI/CD pipeline experience (Jenkins or GitLab CI): building, maintaining, and optimizing build/deploy pipelines with integrated security gates
  • Working knowledge of Kubernetes security: pod security standards, RBAC, network policies, secrets management, and admission controllers
  • Proficiency in at least one application language used in the product stack (Java, Python, JavaScript/TypeScript, or Go) to conduct code reviews and fix vulnerabilities
  • Experience producing compliance evidence and supporting security audits (SOC 2, ISO 27001, or client security questionnaires)
  • Strong communication skills: ability to explain vulnerabilities and risk to both developers and non-technical stakeholders

Preferred Qualifications

  • Experience securing financial services / fintech platforms, particularly systems handling sensitive client data in regulated environments
  • Familiarity with DAST tools (OWASP ZAP, Burp Suite) and manual penetration testing techniques
  • Knowledge of infrastructure-as-code security scanning (Checkov, tfsec for Terraform templates)
  • Experience with cloud security posture management on AWS and/or Azure (GuardDuty, Security Hub, Defender for Cloud)
  • Certifications: CEH, OSCP, CISSP, AWS Security Specialty, or CKS (Certified Kubernetes Security Specialist)
  • Experience building security champions programs to embed security awareness within development teams
Free. 20 seconds. No password. See every match in this search.

Create a free Caio profile to unlock more results and save your role and location preferences.

Unlock free search
Want help applying to roles like this? Search Caio for free. If CV tailoring and application tracking get heavy, Full Caio Agent adds a human specialist.
View Full Agent