Product security lead
Bengaluru, Karnataka, India
Location: Bengaluru,Karnataka,India
Who are we?
Whatfix is the #1 Digital Adoption Platform (DAP) for Enterprises. We are disrupting the way Learning, Training and Application Support content is consumed. We provide large enterprises (Mostly Fortune 500 companies) with a SaaS platform that helps accelerate product adoption and reduce support & training efforts by providing contextual and step by step guidance inside any web application at the exact time a task is being performed. The product has redefined the way companies onboard, train, and provide support to users.
What sets us apart from the rest?
With over 100 of the Fortune 1000 companies already onboard as customers, Whatfix has been named among the top 20 B2B tech companies alongside the likes of Adobe, PayPal, and Cisco. With a YoY growth of 300%, we have also been recognized among the top 50 fastest growing SaaS companies worldwide in the SaaS 1000 list and as a Market Leader by Gartner in the Digital Adoption space.
“Hustle Mode ON” is something we live by.
Position Summary:
Your role will be working on implementing the security strategy governing the application. You will work with the various engineering teams to understand product and business needs, provide expertise around Secure application and cloud service development, as well as define and own clear guardrails, alerts, and Security as Code (SaC) deployments to provide 24/7 protection from malicious traffic, vulnerabilities and other attack vectors.
Responsibilities:
- Help define consistent Secure Software Development Lifecycle practices for all Whatfix technology projects throughout the planning and delivery cycles that assure that application security risks are mitigate
- Ensure end-to-end security of Whatfix products by hands on testing, hypothesizing threats, helping development teams remediating risks upfront and championing secure implementation efforts
- Improve secure coding practices, application security requirements, automation, training, and metrics
- Integrate threat modeling practices into the Software Development Lifecycle
- Help build secure products and standards around emerging technologies and using existing standards and security practices
- Perform Security Architecture and Low Level Application Security Design review involving: Data Protection, Authentication and Authorizations, Web Application Security and Network Security
- Collaborate with product development and solution teams proactively to manage software security risk aligned with business goals
- Collaborate with product and solution teams to achieve Cybersecurity software security program objectives
- Manage cross-functional internal and external team collaboration, evangelization, and communications
- Develop and optimize processes to improve software development efficiency in the consumption of security development practices
- Maintain active understanding of industry practices for secure software development and incident response
- Carry out and own closures for Vulnerability Assessment and Penetration Testing for both Infra and Applications.
- Perform both Manual and Automated Security Testing for identifying application vulnerabilities.
- Perform periodic Configuration audits on Network Devices, Servers and other critical functions.
- Performing code review across a variety of programming languages and provide recommendations for preventive and corrective actions.
- Performing assessments of SDLC processes
- Developing testing scripts and procedures
- Other security-related projects that may be assigned according to skills
- Continually evaluates Application architecture in order to enhance process design
- Evaluate suspected vulnerabilities, work with subject matter experts, and recommend corrective actions.
- Document any special security requirements identified as well as protection measures implemented to fulfill these requirements for the information contained in the information systems.
- Evaluating security products and recommending the solutions
- Advisor to various projects regarding Secure Coding Standards , Security Information Management
Skills and Experience Required:
- Deep understanding of OWASP Top 10 and CWE 25; with proven track record and experience in implementing and integrating remediation strategies
- Excellent understanding of web applications, web servers, layer 7 application technologies, frameworks and protocols with respect to application development and deployment
- Well versed in web application design, penetration testing, application risk assessment and risk categorisation
- Well versed (experience preferred) with driving and implementing secure development practices in to SDLC (SSDLC); ability to successfully integrate security into a developers world
- Success in implementing effective Secure SDLC frameworks across a large corporation.
- Ability to effectively present and communicate security threats and risks to any audience and impress upon them the mitigation techniques and strategies
- Familiar with waterfall and agile development processes and have experience integrating secure development practices into both models.
- Familiar with code management system (e.g.: BitBucket), CI/CD system (e.g.: Jenkins), Docker, Kubernetes, microservice architecture, OAuth 2.0, OpenID Connect.
- Deep knowledge and experience in using SAST, DAST, IAST, SCA and fuzz testing tools
- Highly effective communicator; well-honed influencing and negotiating skills
- Solid problem solving and analytical skills; able to quickly digest any issue/problem encountered and recommend an appropriate solution.
- Self-motivated; able to work independently; able to negotiate and bring consensus to diverse priorities of product development and solution teams.
- Software development domain and principles, including design patterns, code structure, programming languages, continuous integration (Bitbucket), continuous deployment (Jenkins), and deployment orchestration (Puppet, Ansible, or equivalent)
- Knowledge of RESTful web services (client – server application)
- Hands on knowledge of Automation skills, Dev-Ops skills etc.
- Software development domain and principles, including design patterns, code structure, programming languages, continuous integration (Bitbucket), continuous deployment (Jenkins), and deployment orchestration (Puppet, Ansible, or equivalent)
- Experience with Network assessment tools and Exploitations (e.g., Kali Framework, Qualys Guard, Nessus, Nexpose, Nmap, Metasploit, Saint)
- Experience in performing static code review (e.g., Checkmarx, HP Fortify, HCL Appscan Source)
- Experience in at least 2 scripting languages such as Python, Perl, PHP, Ruby etc.
- Capable to assess an application using OWASP, OSSTMM, CESG, CREST, NIST, ISSAF, PTES methodologies
- Knowledge of standard SDLC practices and flexible to work on Agile Module
- Minimum of 3 years work experience in application and network security
- Experience with high level programming languages (e.g., Java, C, C++, .NET (C#, VB)) and DAST code review will be an add-on
- Knowledge of operating systems preferably Windows / Linux / UNIX and network equipment’s.
- Experience in providing technical oversight to other project team members to maintain engagement quality.
- Experience in mentoring, coaching staff and ability to lead teams under demanding circumstances to accomplish project team objectives.
Qualifications
- Qualification Required: Bachelor/Master Degree in either Computer Engineering or Information science
- Certification preferred: OSCP, CEH, ECSA, CPT, LPT
- Minimum experience: 10+ years in the domain of Product security.
- At least 3 years experience in leading a team.
Tags: Agile Ansible Application security Audits Automation Bitbucket C CEH Checkmarx CI/CD Cloud CREST DAST Docker ECSA Incident response Java Kali Kubernetes Linux Metasploit Nessus Network security NIST Nmap OpenID OSCP OWASP Pentesting Perl PHP Product security Puppet Python Qualys Risk assessment Ruby SaaS SAST Scripting SDLC Security strategy Strategy UNIX Vulnerabilities Windows
Perks/benefits: Career development Flex hours
More jobs like this
Explore more InfoSec / Cybersecurity career opportunities
Find even more open roles in Ethical Hacking, Pen Testing, Security Engineering, Threat Research, Vulnerability Management, Cryptography, Digital Forensics and Cyber Security in general - ordered by popularity of job title or skills, toolset and products used - below.
- Open Information Security Specialist jobs
- Open Senior Cyber Security Engineer jobs
- Open Ethical hacker / Pentester H/F jobs
- Open Principal Security Engineer jobs
- Open Cyber Security Architect jobs
- Open Staff Security Engineer jobs
- Open Information Systems Security Officer (ISSO) jobs
- Open Product Security Engineer jobs
- Open Manager Pentest H/F jobs
- Open Cyber Security Specialist jobs
- Open Senior Information Security Analyst jobs
- Open Cybersecurity Analyst jobs
- Open Consultant infrastructure sécurité H/F jobs
- Open Chief Information Security Officer jobs
- Open IT Security Analyst jobs
- Open Cybersecurity Consultant jobs
- Open Consultant SOC / CERT H/F jobs
- Open Senior Information Security Engineer jobs
- Open Security Specialist jobs
- Open Senior Penetration Tester jobs
- Open Cybersecurity Specialist jobs
- Open Security Researcher jobs
- Open Senior Security Architect jobs
- Open IT Security Engineer jobs
- Open Sr. Security Engineer jobs
- Open CISM-related jobs
- Open Windows-related jobs
- Open Network security-related jobs
- Open ISO 27001-related jobs
- Open Pentesting-related jobs
- Open Application security-related jobs
- Open Agile-related jobs
- Open GCP-related jobs
- Open Vulnerability management-related jobs
- Open SaaS-related jobs
- Open CISA-related jobs
- Open Analytics-related jobs
- Open IAM-related jobs
- Open Threat intelligence-related jobs
- Open APIs-related jobs
- Open Java-related jobs
- Open Security assessment-related jobs
- Open Malware-related jobs
- Open DevOps-related jobs
- Open IDS-related jobs
- Open Security Clearance-related jobs
- Open CEH-related jobs
- Open Forensics-related jobs
- Open EDR-related jobs
- Open Kubernetes-related jobs