FULLTIME
Application Security Engineer (AppSec) – DevSecOps
Talentgigs
Not specified · onsite · Posted 1d ago
Your match
Sign in to see your match score, skill gaps & tailored resume.
Section · 01
About this role
Role: SR. SECOPS & APPSEC LEAD
Experience: 5-8 years Location: Noida
JD: Role Overview We are looking for a Sr. SecOps & AppSec Lead to own and drive security operations across the entire product lifecycle — from code commit through build, deployment, and production. You will manage our security scanning pipeline (Veracode, SonarQube, Trivy), identify and remediate vulnerabilities in application code and open-source dependencies, upgrade libraries to eliminate known CVEs, and work hands-on to fix application security issues alongside development teams. This role blends application security engineering with DevOps pipeline management. You will not just report vulnerabilities — you will reproduce them, assess their real-world exploitability in our context, and either fix them yourself or guide developers through remediation. You will also own CI/CD pipeline health, ensuring security gates are embedded into every build without becoming a bottleneck. Additionally, you will lead 1–2 junior engineers, building a small but effective security operations practice. Key Responsibilities Security Scanning & Pipeline Management • Own and manage the end-to-end security scanning pipeline: SAST (Veracode, SonarQube), SCA (Veracode SCA / Snyk / OWASP Dependency-Check), and container image scanning (Trivy) • Configure, tune, and maintain scanning policies — reduce false positives, set severity thresholds, and define quality gates that block vulnerable builds from promotion • Integrate security scans seamlessly into CI/CD pipelines (Git runner/GitLab CI) so that every pull request and release build is automatically validated without slowing developer velocity • Maintain dashboards and reporting on vulnerability trends, scan coverage, mean-time-to-remediate (MTTR), and open risk posture across the product portfolio • Evaluate and onboard new security tools as the threat landscape and technology stack evolve Vulnerability Identification, Reproduction & Remediation • Triage vulnerability findings from SAST/SCA/container scans — assess real-world exploitability in the context of the our platform, not just CVSS scores • Reproduce open-source and third-party library vulnerabilities in controlled environments to validate their impact and determine whether the vulnerable code path is actually reachable in our product • Hands-on fix application security issues: SQL injection, XSS, CSRF, insecure deserialization, broken authentication, SSRF, path traversal, and other OWASP Top 10 vulnerabilities in the application codebase • Plan and execute library upgrades to remediate known CVEs in open-source dependencies — assess compatibility impact, coordinate with development teams, and validate that upgrades do not introduce regressions • Manage a vulnerability backlog with clear prioritization (critical/high exploitable vs. low-risk theoretical), SLA tracking, and regular reporting to engineering leadership Application Security Engineering • Conduct security code reviews for high-risk features: authentication/authorization flows, API security, data encryption, secrets management, and inter-module communication (API/MQ) • Define and enforce secure coding standards and guidelines for the development teams, covering input validation, output encoding, parameterized queries, secure session management, and cryptographic practices • Perform or coordinate DAST (Dynamic Application Security Testing) and periodic penetration testing, managing findings through to closure • Review and harden Kubernetes deployment configurations: pod security policies/standards, network policies, RBAC, secrets management (Vault/Sealed Secrets), and container runtime security • Ensure secure handling of sensitive financial data in transit and at rest, aligned with client security requirements and regulatory expectations CI/CD Pipeline Ownership & DevOps • Co-own CI/CD pipeline infrastructure (Git runner/GitLab CI): build pipeline optimization, artifact management, deployment automation, and environment provisioning • Implement and maintain infrastructure-as-code for security tooling (Terraform/Helm charts for scanning infrastructure, policy-as-code for compliance checks) • Manage Docker image lifecycle: base image hardening, image scanning in registries, tag governance, and ensuring minimal-footprint production images • Automate security compliance checks: license scanning for open-source dependencies, secrets detection in code repositories (GitLeaks/TruffleHog), and configuration drift detection • Support deployment pipelines for Kubernetes environments: Helm chart security, admission controllers, and runtime protection integration Compliance, Audit & Governance • Support compliance efforts (SOC 2, ISO 27001, or client-specific security assessments) by providing evidence of security controls, scan reports, and remediation records • Coordinate with external penetration testing firms: scope definition, environment preparation, finding triage, and remediation tracking • Maintain security documentation: threat models, security architecture diagrams, incident response runbooks, and vulnerability management procedures • Produce regular security posture reports for engineering leadership and client-facing teams, translating technical findings into business risk language Team Leadership & Security Culture • Lead, mentor, and develop 1–2 junior SecOps/AppSec engineers, establishing workflows, review processes, and growth paths • Drive a security-aware culture across engineering: conduct threat modeling workshops, secure coding training sessions, and brown-bag presentations on real-world vulnerabilities • Create and maintain internal security knowledge base: remediation playbooks, common vulnerability patterns in the codebase, and library upgrade guides
Sourced from linkedin · view original
Let the agent run this one for you.
Tailored resume, auto-apply, and referral lookup — in under 2 minutes.
Section · 02