JOB DESCRIPTION:

We are looking for DevSecOps Engineer with 6-8 years of experience.

As a DevSecOps Engineer, you will be responsible for identifying, mitigating, and preventing security vulnerabilities in an organization's Application Programming Interfaces (APIs) throughout the entire software development lifecycle (SDLC).

Requirements:

Proficiency in programming languages such as Python, Java, JavaScript, or Go, to understand and review code effectively.

Direct hands-on experience developing and securing web APIs and web applications: REST, SOAP, gRPC.

Direct hands-on experience with security testing of web services and web APIs.

Experience with API Management solutions.

Knowledge of application threat modelling, Remediation of OWASP API Top 10, CIS Top 10, SANS Top 25 a plus.

Responsibilities:

Conduct design reviews and threat modelling exercises for new APIs and features to proactively identify potential attack vectors and weak points before development begins.

Perform ongoing governance and follow-through with API owners to ensure implementation of threat-based requirements.

Support and consult with development and engineering teams in the areas of application security

Develop, deliver and keep up-to-date API security standard requirements and design patterns.

Validate implementation of API security controls against outputs of vulnerability testing tools to enable auditability and verifiability.

Serve as an API security technical advisor to application teams.

Experience working with AWS or other cloud environments (development/architecture)

Experience with cloud and API security standards (OWASP API Top 10, CIS Top 20)

Perform security risk assessments for all proposed application-related (APIs) changes.

Examine source code for security flaws, insecure patterns, and hardcoded credentials, providing actionable feedback and remediation guidance to development teams.

Assist in the investigation and analysis of security incidents related to applications and APIs, helping to identify the root cause and implement remediation plans.

Develop and deliver secure coding guidelines and training programs for developers to foster a security-aware culture within the organization.

Enhance security monitoring and analyse API traffic logs for anomalies to detect and respond to real-time threats and business logic abuse.

Must-Have Skills:

In-depth knowledge of REST, GraphQL, SOAP, and authentication mechanisms like OAuth 2.0, OpenID Connect (OIDC), and JWT.

Expertise in identifying and mitigating top API threats (broken object-level authorization, injection, security misconfiguration) and using tools for DAST/SAST, such as Postman, Burp Suite, and Swagger.

Proficient in scripting languages, primarily Python or Go, for automating security testing and developing security tools.

Understanding cloud infrastructure (AWS/Azure/GCP) security, container security (Kubernetes/Docker), and API gateways.

Ability to perform threat modeling (STRIDE) and design secure APIs, including encryption (TLS), rate limiting, and input

Experience with attacker tactics, techniques, and procedures, and corresponding mitigation methods.

Sound knowledge of all procedures, standards, and regulations for authorization and authentication, applied cryptography, and security vulnerabilities.