Senior Application Security Specialist

Role Overview

The consultant will be responsible for end-to-end application security testing across enterprise applications. This includes Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), API security testing, AI/ML platforms, and penetration testing. This role requires deep expertise in identifying vulnerabilities, guiding remediation, and ensuring compliance with industry standards such as OWASP Top 10, CWE, CVE, and NIST guidelines.

Key Responsibilities

Static Application Security Testing (SAST)

• Perform source code analysis to detect insecure coding practices,
• Review applications written in Java, .NET, Python, JavaScript for vulnerabilities such as SQL injection, XSS, insecure deserialization,
• Integrate SAST tools (e.g.: Checkmarx, Fortify, Veracode) into CI/CD pipelines.

Dynamic Application Security Testing (DAST)

• Execute runtime testing of applications to identify vulnerabilities in deployed environments,
• Use tools like Burp Suite, OWASP ZAP, HCL AppScan to simulate attacks,
• Validate findings against OWASP Top 10 and provide remediation guidance.

API Security Testing

• Test REST, SOAP, GraphQL, and gRPC APIs for vulnerabilities such as broken authentication, excessive data exposure, and injection flaws,
• Use tools like Postman, SoapUI, Burp Suite for automated and manual API testing,
• Apply OWASP API Security Top 10 principles to secure API endpoints,

Penetration Testing

• Conduct manual and automated penetration tests for web, mobile, and cloud applications.
• Simulate adversarial attacks to uncover weaknesses beyond automated scans.
• Use tools like Metasploit, Nmap, Wireshark to perform advanced exploitation.

Security Testing of AI/ML Platforms

• Validate integrity of training and inference datasets and ensure encryption and sanitization of sensitive datasets,
• Test for data poisoning, malicious samples, and insecure preprocessing scripts,
• Assess ML/LLM models for adversarial attacks, model inversion, poisoning, and backdoors,
• Apply frameworks like OWASP LLM Top 10 for generative AI risk coverage,
• Under LLM, Test for prompt injection, jailbreaking, unsafe content generation, and data leakage, along with simulation of adversarial queries to evaluate resilience of LLM-based applications,
• Conduct API testing for AI/ML inference endpoints (REST, GraphQL, gRPC),
• Validate containerized deployments (Docker, Kubernetes) for secure orchestration,
• Perform penetration testing on deployed AI services to uncover misconfigurations,

Governance & Compliance

• Ensure applications comply with PCIDSS, ISO 27001, GDPR, and industry specific regulations,
• Support audits and provide evidence of secure coding practices,

Collaboration & Advisory

• Partner with developers, architects, and product owners to embed security into the SDLC/ DevSecOps pipeline,
• Provide training and mentoring on secure coding and vulnerability remediation.

Documentation & Reporting

• Prepare detailed assessment reports, dashboards, and executive summaries.

Required Technical Knowledge & Competencies

• Expertise in SAST, DAST, API security testing, and penetration testing.
• Strong programming knowledge (Java, .NET, Python, JavaScript) for code level analysis,
• Familiarity with cloud security testing (AWS, Azure, GCP),
• Experience with container security (Docker, Kubernetes),
• Excellent communication and stakeholder management skills.

Qualifications

• Bachelors degree in computer science, Information Security, or related field,
• 810 years of IT experience, with at least 5+ years in application security testing,
• Preferred certifications: OSCP, CEH, GWAPT, CISSP.