Our Security Assessment team is responsible for evaluating all production-bound deployments to ensure they meet the organization's security standards. The team plays a critical role in identifying vulnerabilities, assessing risks, and enforcing security controls across applications, infrastructure, and services. By working closely with development and operations teams, the Security Assessment team ensures that security is integrated into every stage of the deployment lifecycle.

This role requires extensive knowledge and firsthand experience in assessing the security of Web Applications, Mobile Applications, Thick Client Applications, Progressive Web Applications, Containers and Containerization Technology, Public Clouds, Windows and Linux Operating Systems, and enterprise grade databases to identify vulnerabilities and recommend remediation measures. This role requires a strong understanding of security core concepts and deep understanding of how the vulnerabilities work.

Encourage 'Shift Left' Mindset - Proactively embed security requirements, by influencing implementation of security & privacy patterns from the start of the development cycle
Implement via Influence - Influence stakeholders such as Product Owners, Solution Architects, Developers, Testers, Engineers & others to include security patterns into features, epics, and stories to build secure, innovative & superior digital products for customers and employees
Assessments - Possess extensive knowledge and firsthand experience in assessing the security of Web Applications, Mobile Applications, Thick Client Applications, Progressive Web Applications, Containers and Containerization Technology, Public Clouds, Windows and Linux Operating Systems, well-known enterprise grade databases
Web Application Security - OWASP top ten, Advance Web Attack exploitation, Attack chaining, Vulnerability Scoring
Security Code Review - Automated and manual source code review
API Security Review - Deep understanding of OAuth 2.0 standards, SAML/SSO/OAuth based attacks, JWT based attacks, OWASP API Top 10
Mobile Application Security - Deep knowledge of OWASP Mobile Top 10, advanced mobile attack exploitation techniques, reverse engineering, attack chaining across app-API-backend
Mobile Code Review - Automated and manual source code review for mobile platforms (Java/Kotlin for Android, Swift/Objective-C for iOS, hybrid frameworks like React Native/Flutter)
Infrastructure Assessments - Proven experience in conducting comprehensive infrastructure security assessments across servers, networks, databases, virtualization platforms, and cloud environments
Container Security Assessment - Proficiency in identifying vulnerabilities and misconfigurations in containerized environments (Docker, Podman, CRI-O) and orchestrators (Kubernetes, OpenShift)
CI/CD Pipeline Security Assessment - Proficiency in identifying vulnerabilities, misconfigurations, and insecure practices in CI/CD tools (Jenkins, GitLab CI, GitHub Actions, Azure DevOps, Bitbucket Pipelines)
Cryptography - Solid understanding of encryption, TLS configurations, certificate lifecycle management, and secure communication protocols
Cloud Security - Familiarity with major cloud providers such as Microsoft, Amazon, Google, and Oracle
Risk Assessment and Reporting - Demonstrated ability to interpret and translate security requirements mandated by regulatory bodies into actionable security controls

Bachelor's degree in computer-related fields such as computer science, Cyber/Information security discipline, or related fields
Minimum 5 years of experience in information security assessments or penetration testing
At least 3 years of experience in BFSI (Banking, Financial Services, and Insurance) sector
Good understanding of IT systems, infrastructure, and networking
Exceptionally good with stakeholder management and people management
Data Security - Understanding of implications of multiple international regulations and standards such as PDPL, GDPR, CBUAE, CBE, RBI, PCI-DSS, ISO 27001
Configuration Review - Should have performed different configuration reviews and found misconfigurations in the system
Integration review - How the application connects with different systems, performed security review on those integrations
Transport Layer Security - Understanding of Transport layer security mechanisms and controls
Mobile Data Security - Assessment of data storage and protection mechanisms on-device (Keychain, Keystore, Secure Enclave, encrypted databases)
Configuration & Deployment Review - Identification of insecure mobile app configurations, insecure Android/iOS permissions, export settings, build configurations
Reverse Engineering & Tamper Resistance - Experience with mobile reverse engineering tools (Frida, Objection, JADX, Hopper, Ghidra)
Database Security - Requirements to enhance security on enterprise grade databases (SQL, Oracle, Postgres, MySQL, MongoDB)
Web Server Security - Requirements to enhance security on enterprise grade web servers (IIS, Apache Tomcat, JBOSS)
Vulnerability Management - Strong expertise in identifying and analyzing vulnerabilities, misconfigurations, and privilege escalation paths
Reviews against Industry Standards - Proficiency in reviewing operating system, middleware, and network device configurations against industry benchmarks (CIS, NIST, vendor best practices)
Identity and Access Management - Hands-on experience with access control and identity management, including Active Directory, LDAP, IAM policies
User Access Reviews - Demonstrated ability to conduct periodic User Access Reviews to ensure compliance with the principle of least privilege
Regulatory Assessments - Knowledge of regulatory and compliance requirements (GDPR, PDPL, CBUAE, CBE, RBI, PCI-DSS, ISO 27001, HIPAA)
Image Security & Hardening - Review and hardening of container images, minimization of base images, removal of unused packages
Access Control & Identity Management - Evaluation of Kubernetes/OpenShift API access controls, RBAC, service accounts, and secrets management
Network Security - Implementation and review of Kubernetes network policies, service mesh security (Istio, Linkerd)
Supply Chain Security - Review of CI/CD pipelines for security vulnerabilities, implementation of container image scanning (Trivy, Anchore, Clair), SBOM validation
Runtime Security Monitoring - Use of tools like Falco, Aqua, Prisma Cloud, or Sysdig to detect anomalous behavior
Source Code Repository Security - Review of repository configurations, branch protection rules, secret scanning, commit history review
Build & Deployment Process Security - Ensuring integrity of build artifacts, secure artifact storage
Secrets Management - Integration and security of vault solutions (Hashicorp Vault, AWS Secrets Manager, Azure Key Vault)
Pipeline Configuration Review - Ensuring security scanning stages (SAST, DAST, SCA, container scanning) are enforced in CI/CD workflows
Cryptographic Principles & Algorithms - Strong understanding of symmetric and asymmetric encryption, hashing, digital signatures, and key exchange protocols (RSA, ECC, AES, SHA-2/3, HMAC, Diffie-Hellman, ECDH)
Protocol Security Assessment - Ability to evaluate the security of cryptographic protocols such as TLS, IPsec, SSH, S/MIME, PGP, Signal protocol
Key Management & Lifecycle Review - Assessment of secure key generation, storage, rotation, backup, destruction, and usage policies
Implementation Flaw Detection - Identification of issues like padding oracle vulnerabilities, weak cipher modes, replay attacks, downgrade attacks
Public Key Infrastructure (PKI) Security - Assessment of CA trust chains, certificate issuance policies, OCSP/CRL validation
Cryptographic API & Library Review - Review of cryptographic API usage in applications (OpenSSL, BouncyCastle, libsodium, WebCrypto API)
Compliance & Standards Knowledge - Awareness of FIPS 140-3, ISO/IEC 19790, PCI-DSS
Post-Quantum Cryptography Awareness - Familiarity with emerging NIST PQC algorithms
Cloud Security Architecture Review - Understanding different network topologies used in cloud-native and hybrid cloud environments, identity management and role-based access controls in cloud
Cloud Security Posture Management - Well-versed in reviewing the complete cloud security posture using tools such as Wiz
SaaS Security Posture Management - Well-versed in reviewing the security posture for SaaS applications via SSPM tool integrations
Data Leakage Prevention - Ensure that data security is maintained in cloud environments with appropriate storage and data encryption methods
Deep foundational knowledge and practical application of Information Security principles across both technical and non-technical domains
Strong understanding of enterprise architecture, public/private cloud platforms (IaaS/PaaS), and cloud security risks and mitigations
Demonstrated experience in DevSecOps practices, including CI/CD pipelines, containerization, SAST/DAST tools
Ability to interpret and implement security requirements from regulatory or oversight functions into high-level and detailed design documentation
Skilled in analyzing vulnerability assessment and penetration testing reports, determining inherent and residual risk
Hands-on capability in application and infrastructure testing, identifying threats, and proposing effective countermeasures
Competence in applying design principles and secure coding patterns
Strong understanding of microservices architecture and its unique security considerations
In-depth expertise in web and mobile application security testing, including bypassing weak controls (SSL pinning, root/jailbreak detection, WAF evasion)
Proficiency in hardening reviews and the creation or assessment of baseline hardening standards for systems, networks, and applications
Effective collaboration skills with architecture, development, security, and leadership teams
Strong understanding of endpoint security technologies (AV, EDR, SIEM) and their integration within enterprise environments
Familiarity with risk management frameworks and the ability to align technical findings to business risk context
Capable of working independently, managing multiple priorities, and delivering high-quality outcomes under pressure
Experience guiding or mentoring peers on development standards, secure design, and architectural best practices
Knowledge of Agile methodologies (Scrum, Kanban) and experience embedding security practices within agile ceremonies
Exposure to automation and scripting for security validation, assessment, or infrastructure configuration
Strong interpersonal and negotiation skills with the ability to influence senior stakeholders
Awareness of emerging threats and evolving technologies
Understanding of governance, compliance, and audit processes related to security architecture and risk management
Proven ability to engage and collaborate effectively with diverse stakeholders
Strategic and holistic mindset, capable of balancing security requirements with functional needs
Confident and assertive presence in project boards and working groups
Exceptional written and verbal communication skills
Resilient under pressure, with a history of meeting challenging deadlines without compromising quality
Persuasive and influential in articulating security risks and concerns to varied audiences
Demonstrated decision-making, planning, and time management skills
Positive, constructive, and solutions-oriented attitude