Algotale Infosec Engineer

Job description

Role: Infosec Engineer

Exp- 1-3 years

Location: Bangalore

Job Description: 

We are seeking an Application Security Engineer to perform vulnerability assessments and penetration testing on web integrations, web application and mobile applications.

Responsibilities include identifying security vulnerabilities, conducting secure code reviews, and ensuring compliance with OWASP, NIST, and ISO 27001 standards.

The role requires expertise in manual and automated security testing using tools like Burp Suite,
Metasploit, and Kali Linux.
Key Responsibilities:
Vulnerability Assessment & Penetration Testing:
● Perform regular internal and external VAPT on infrastructure, web applications, APIs,
mobile applications, and cloud environments.
● Identify, triage, exploit security vulnerabilities through static and dynamic application
security testing (SAST/DAST) and report vulnerabilities with detailed proof-of-concept
(PoC) documentation.
● Use both automated and manual testing methodologies to uncover security weaknesses.
● Perform security-focused code reviews.
Threat Analysis & Risk Assessment:
● Conduct in-depth risk assessments of identified vulnerabilities.
● Collaborate with teams to prioritize and remediate security issues.
● Develop and maintain a vulnerability management program.
Tooling & Automation:
● Utilize open-source and commercial VAPT tools such as Burp Suite, Nessus, Nmap, Metasploit, OWASP ZAP, and others.
● Create and enhance custom scripts or tools to automate testing processes.
● Stay updated on the latest vulnerabilities, exploits, and security trends.

Reporting & Documentation:
● Prepare detailed VAPT reports with risk ratings, impact analysis, and remediation recommendations.
● Communicate findings to technical and non-technical stakeholders.
● Ensure compliance with industry standards (e.g., OWASP, CIS, NIST) and regulatory
requirements. Collaboration & Continuous Improvement:
● Work closely with DevOps, IT, and engineering teams to address security gaps.
● Assist teams in reproducing, triaging and addressing application security vulnerabilities.

● Work closely with developers to integrate security into the software development lifecycle, providing guidance on secure coding practices.
● Contribute to security awareness programs by sharing insights from VAPT exercises.
● Support red team/blue team exercises, if applicable.

Required Skills
● Strong hands-on experience with VAPT tools (e.g., Nessus, OpenVAS, Qualys, Burp Suite, Metasploit, Nmap, etc.).
● Proficiency in identifying and exploiting vulnerabilities (SQLi, XSS, RCE, SSRF, IDOR, etc.).
● Ability to perform threat modeling to identify potential security threats and design effective countermeasures.
● Knowledge of secure coding practices and SDLC integration.
● Experience with cloud security testing (AWS, Azure, GCP).
● Familiarity with scripting languages (Python, Bash, PowerShell) for automation.
● Understanding of common security frameworks (OWASP, MITRE ATT&CK, NIST).
● Strong analytical and problem-solving skills.
● Having experience in the security domain for 1-3 years

Preferred Qualifications:
● Certifications: OSCP, CEH, GPEN, eCPPT, or equivalent.
● Experience with container and Kubernetes security testing.
● Knowledge of WAF bypass techniques and post-exploitation tactics.
● Experience with CI/CD pipeline security testing

Information Security Engineer (InCred Grade - Assistant Manager)-3+ years

Job Description

• Evaluating, Testing, and integrating security tools, standards, and associated processes as per the security framework.
• Assist in creating and managing the framework for Information Security in alignment with industry best practices (ISO 27001)
• Improve the cyber security program governance processes including cyber security risk reporting (recommending new report formats, reporting technologies and collaborating with team members to build-out reports/dashboards) and governance committee
• Develop of cyber security standards, including incorporating industry practices and applicable compliance requirements
• Monitor and report compliance with cyber security standards and security rules of relevant cyber security and regulatory privacy requirements
• Improving and supporting application security tool deployments including static analysis and runtime testing tools.
• Create and manage process to guide development and testing teams on proactively finding application security risks
• Improving and maintaining secure development standards.
• Supporting the application architecture/design review processes whenever application security expertise is needed.
• Oversee and improve third-party information security risk management programs to assess risks associated with the usage of third-parties/vendors.
  
  Assist in 3rd party security due-diligence reviews
• Conduct periodic penetration testing services of application and related infrastructure.
  
  Closure of open risks by actively following-up with stakeholders.
• Assess application, design threat models, risk, document potential risk vectors, recommend relative controls and ensure risk is addressed 
• Maintain security risk register to track the identified risks and produce metrics to report the state of application security program and risk status.
• Additional responsibilities to this role include:
  • Recommend cybersecurity assessment methodology and support purple team exercises when required 
  • Assessing cloud security risk (AWS, Google, and Azure) and recommending appropriate security controls
• Assist in imparting security awareness training and executing phishing simulation exercises to employees.
• Track and report security metrics to higher management on a regular basis
• Define hardening standard for various technology and assess compliance levels
• Identify, prioritize, and track security incidents and manage related platforms such as SIEM, DLP, EDR and other security tools
• Provide clear communication on the issue to application owners and verify the efficacy of vulnerability remediation
• Should have ability to drive VAPT engagements end to end for Web, Mobile and Infra with Internal stakeholders and external agencies if required
• Basic understanding of regulatory requirements of Indian Fintech ecosystem like RBI, SEBI, NSE, BSE others

Key Areas: ISO 27001, security governance, evaluating and implementing security tools (SIEM, DLP, endpoint protection), security reviews and assessment, preparation of security checklist, security awareness/phishing simulation, cloud security, Application security.

Certifications: good to have - ISO 27001, CISM, or CISSP ( Not Mandatory ) 

Experience

• Should have 3+ years of experience in the information security domain
• Must have sound knowledge in security vulnerabilities, remediation and mitigation techniques. 
• Ability to document and explain technical details in a concise & understandable manner 
• Industry recognized certificates relevant to the roles such as CISM, CISSP, CISA, ISO 27001 are desired 
• Ability to lead complex, cross-functional projects, and problem-solving initiatives. 
• Passionate about information security and update knowledge on daily basis to support the organization
• Candidates must have excellent verbal and written communication skills
• Candidates must be able to explain all vulnerabilities and weaknesses in the OWASP Top 10, to concerned stakeholders and discuss effective defensive techniques.
• Familiarity with industry standards and regulations including PCI, ISO27001, CIS, NIST is desired.
• Good understanding of the Docker, Kubernetes, and security models
• Fair understanding of public cloud models (e.g. AWS, Google, Microsoft Azure) and their security implications

Skills:

• Candidate should be a good team player
• Should have good interpersonal skills
• Good written communication skills including ability to develop process documentation and security guidelines.
• Ability to apply critical thinking and logic to a wide range of intellectual and practical problems
• Ability to maintain composure under pressure and work calmly during an emergency
• Ability to manage multiple tasks and schedules

Interview evaluation parameters: 

Required Skill Profession

Computer Occupations