Scope: The scope of application security engineer activities are as follows:
- Web Application Security
- API Security
- Cloud Application Security (application layer only)
Activities:
The scope of activities are as follows:
- Security Assessments, Threat Modelling & Code Reviews
- Perform application security assessments for web, API, and cloud-hosted services.
- Conduct threat modelling for key features/releases (trust boundaries, data flows, misuse cases)
- Conduct tool-assisted secure code reviews for selected modules Security Controls, Authentication & Encryption
- Define/refine application security controls (validation, encoding, secure headers, rate limiting)
- Define/refine auth mechanisms (OAuth2/OIDC, session/token handling, MFA patterns where applicable)
- Define/refine encryption and key management patterns (TLS, encryption at rest, key rotation) Secure Coding Guidelines and Standards
- Develop and maintain secure coding guidelines, checklists, and secure patterns
- Maintain standards aligned to OWASP Top 10 and OWASP API Top 10 risks Remediation Support & Fix Verification
- Collaborate with development teams to remediate vulnerabilities. Retest and verify fixes and provide closure evidence Application vulnerability related Incident Monitoring & Response Support
- Support triage of application vulnerability-related incidents.
- Conduct root-cause analysis and recommend preventive guardrails. Documentation of Application Security guidelines and checklists
Description of Deliverables:
- Threat model artifacts and secure architecture review notes.
- Code review findings from security perspective
- SAST, DAST scan profiles and scope rules
- SAST, DAST reviewed findings reports, with remediation guidance.
- Defined/refined Security standards - secure coding guidelines and checklists
- Incident triage support notes and post-incident improvement
- Weekly/Monthly status reports, as per agreed format
- Any other development/support tasks/deliverables assigned by the Management.
11C4879
