The scope of application security engineer activities are as follows:
- Web Application Security
- API Security
- Cloud Application Security (application layer only)
Activities:
The scope of activities are as follows:
Security Assessments, Threat Modelling & Code Reviews
- Perform application security assessments for web, API, and cloud-hosted services.
- Conduct threat modelling for key features/releases (trust boundaries, data flows, misuse cases)
- Conduct tool-assisted secure code reviews for selected modules
Security Controls, Authentication & Encryption
- Define/refine application security controls (validation, encoding, secure headers, rate limiting)
- Define/refine auth mechanisms (OAuth2/OIDC, session/token handling, MFA patterns where applicable)
- Define/refine encryption and key management patterns (TLS, encryption at rest, key rotation)
Secure Coding Guidelines and Standards
- Develop and maintain secure coding guidelines, checklists, and secure patterns
- Maintain standards aligned to OWASP Top 10 and OWASP API Top 10 risks
Remediation Support & Fix Verification
- Collaborate with development teams to remediate vulnerabilities.
- Retest and verify fixes and provide closure evidence
Application vulnerability related Incident Monitoring & Response Support
- Support triage of application vulnerability-related incidents.
- Conduct root-cause analysis and recommend preventive guardrails.
Documentation of Application Security guidelines and checklists
Description of Deliverables:
- Threat model artifacts and secure architecture review notes.
- Code review findings from security perspective
- SAST, DAST scan profiles and scope rules
- SAST, DAST reviewed findings reports, with remediation guidance.
- Defined/refined Security standards - secure coding guidelines and checklists
- Incident triage support notes and post-incident improvement actions.
- Weekly/Monthly status reports, as per agreed format
- Any other development/support tasks/deliverables assigned by the Management
Requirements:
- Experience with web application security
- Knowledge of API security
- Understanding of cloud application security
- Experience with security assessments
- Familiarity with threat modelling
- Experience with secure code reviews
- Knowledge of security controls
- Understanding of authentication mechanisms
- Familiarity with encryption and key management
- Experience with secure coding guidelines and standards
