Specialist, Application Security, VAPT, Technology and Operations

Business Function

Technology and Operations (T&O) enables and empowers the bank with an efficient, nimble and resilient infrastructure through a strategic focus on productivity, quality & control, technology, people capability and innovation. In Group T&O, we manage the majority of the Bank's operational processes and inspire to delight our business partners through our multiple banking delivery channels.

Job Purpose

Application Security is responsible for embedding security across the application development lifecycle, performing application security testing, identifying and managing vulnerabilities, and ensuring secure coding practices. The role requires hands-on experience in SAST, DAST, SCA, API security, and cloud-native applications, with strong alignment to regulatory and compliance requirements.

Job Duties & responsibilities

Application Security Testing

• Perform application security assessments across:
• Web applications
• Mobile applications (Android / iOS)
• APIs and microservices
• SAST (Static Application Security Testing)
• DAST (Dynamic Application Security Testing)
• SCA (Software Composition Analysis)
• API security testing
• Support manual application penetration testing for high-risk and critical applications.
• Validate remediation through re-testing and verification.

Secure SDLC & DevSecOps

• Integrate security controls into the SDLC and CI/CD pipelines.
• Review application architecture and design for security risks.
• Implement DevSecOps practices, including shift-left security.
• Support secure coding practices and provide remediation guidance to development teams.

Vulnerability Management (Application Context)

• Triage application vulnerabilities based on:
• Risk, exploitability, and business impact
• Track vulnerabilities through closure using ticketing tools.
• Ensure remediation SLAs are met and escalate aging/high-risk issues.

Secure Coding & Developer Enablement

• Provide secure coding guidelines and best practices.
• Conduct secure code reviews and developer security training.
• Assist development teams in fixing vulnerabilities with actionable recommendations.

Compliance & Audit Support: Ensure application security practices align with:

• RBI Cybersecurity Framework
• ISO 27001
• PCI DSS
• OWASP standards
• Support audits by providing:
• Application security assessment reports
• Evidence of secure SDLC implementation
• Remediation and exception documentation

Core Competencies

Strong understanding of:

• Web application architecture and APIs
• Common application vulnerabilities and attack vectors
• Authentication, authorization, and session management
• Knowledge of programming/scripting languages (any): Java, .NET, Python, JavaScript (for code understanding)

Technical Competencies

Hands-on experience with one or more of the following:

• SAST: Checkmarx, Fortify, Veracode, SonarQube
• DAST: Burp Suite, OWASP ZAP, AppScan
• SCA: Black Duck, Snyk, WhiteSource (Mend)
• API Security: Postman, Burp, OWASP API tools

Exposure to:

• CI/CD tools (Jenkins, GitLab, Azure DevOps)
• Cloud-native applications (AWS / Azure / GCP)
• Familiarity with OWASP Top 10, OWASP ASVS, and CWE.

Required Experience

• 5–7 years of experience in Application Security / AppSec
• Experience in enterprise or BFSI environments preferred
• Exposure to cloud and microservices-based applications
• Certifications (preferred but not mandatory):
• CEH, GWAPT, CSSLP, OSCP (AppSec exposure)

Education / Preferred Qualifications

• Graduation: BE IT/Computers/Electronics, B.Sc - Computers, M.Sc - Computers
• Post-Graduation: PGDIT, MCA, MBA