Job description

The Security Engineer II role at Upstox involves designing, developing, and maintaining security tools and automation processes to enhance security measures across the organization, conducting security architecture and code reviews, and performing vulnerability assessments and penetration testing. Required skills include a minimum of 3 years in Application Security, proficiency in programming languages such as Python, Go, or NodeJs, experience with Kubernetes, cloud security, web/mobile application security, and familiarity with cryptographic controls and red team exercises.

Responsibility

• Design, develop, and maintain tools and web applications to automate security tasks and enhance security measures across the organization.
• Develop and integrate security automation tools and processes into the CI/CD pipeline to ensure continuous security testing and compliance.
• Create threat models to identify risks and implement controls to mitigate those risks.
• Conduct security architecture and design reviews to identify and resolve issues in applications and infrastructure.
• Develop and maintain security testing plans.
• Review source code to identify potential security vulnerabilities.
• Perform vulnerability assessments, penetration testing, and prioritize the identified vulnerabilities.
• Develop proof of concept (PoC) exploits for vulnerabilities and collaborate with the engineering team to address them.
• Solve complex vulnerabilities, such as business logic flaws, and communicate solutions to both technical and non-technical stakeholders.
• Build and maintain strong relationships with key stakeholders and business partners.

Qualifications

• 3 to 6 years of experience in Application Security with hands-on technical skills.
• Strong understanding of web application security threats, exploits, and prevention techniques (SQL Injection, XSS, CSRF, etc.).
• Proficiency in programming languages like Python, Go, or NodeJs, with experience in building security tools.
• Experience with Kubernetes (K8s), cloud security, WAF, Bot manager, and securing web/mobile applications.
• Implemented cryptographic controls to protect sensitive data and integrated SAST controls in CI/CD pipelines.
• Familiar with Red team exercises, threat hunting, and OSINT practices.
• Experience in mobile security testing, with knowledge of Selenium and Appium being an advantage.
• Ability to estimate effort, meet deadlines, and communicate effectively.
• Proven ability to influence others without direct authority.
• Experience in Financial Services or Fintech is a plus, with a hands-on, problem-solving attitude.