Product Security Lead/Information Security
Bengaluru
Whatfix
Whatfix's interactive digital adoption platform and analytics enable employees with contextual user experiences, step-by-step guidance, self-help user support, and user behavior analytics to drive digital adoption for desktop, mobile, and web...Location: Bengaluru,None,None
Who are we?
Whatfix is a leading global B2B SaaS organization and the largest pure-play enterprise digital adoption platform solution provider.
Utilizing GenAI technology, Whatfix enhances all stages of software deployment with application simulation, product analytics, and digital adoption, driving business outcomes such as increased revenue win rates, cost reduction, risk compliance, enhanced productivity, and improved user experience.
We have seven offices in the US, India, UK, Germany, Singapore, and Australia, supporting 700+ global customers, including 80+ Fortune 500 companies. Whatfix has raised $140 million to date and is backed by marquee investors, including Softbank, PeakXV, Dragoneer, and Cisco Investments.
Position Summary:
Your role will be working on implementing the security strategy governing the application. You will work with the various engineering teams to understand product and business needs, provide expertise around Secure application and cloud service development, as well as define and own clear guardrails, alerts, and Security as Code (SaC) deployments to provide 24/7 protection from malicious traffic, vulnerabilities and other attack vectors.
Responsibilities:
Help define consistent Secure Software Development Lifecycle practices for all Whatfix technology projects throughout the planning and delivery cycles that assure that application security risks are mitigate
Ensure end-to-end security of Whatfix products by hands on testing, hypothesizing threats, helping development teams remediating risks upfront and championing secure implementation efforts
Improve secure coding practices, application security requirements, automation, training, and metrics
Integrate threat modeling practices into the Software Development Lifecycle
Perform Security Architecture and Low Level Application Security Design review involving: Data Protection, Authentication and Authorizations, Web Application Security and Network Security
Collaborate with product and solution teams to achieve Cybersecurity software security program objectives
Manage cross-functional internal and external team collaboration, evangelization, and communications
Develop and optimize processes to improve software development efficiency in the consumption of security development practices
Maintain active understanding of industry practices for secure software development and incident response
Carry out and own closures for Vulnerability Assessment and Penetration Testing for both Infra and Applications.
Perform both Manual and Automated Security Testing for identifying application vulnerabilities.
Perform periodic Configuration audits on Network Devices, Servers and other critical functions.
Performing code review across a variety of programming languages and provide recommendations for preventive and corrective actions.
Performing assessments of SDLC processes
Developing testing scripts and procedures
Other security-related projects that may be assigned according to skills
Evaluate suspected vulnerabilities, work with subject matter experts, and recommend corrective actions.
Document any special security requirements identified as well as protection measures implemented to fulfill these requirements for the information contained in the information systems.
Evaluating security products and recommending the solutions
Advisor to various projects regarding Secure Coding Standards , Security Information Management
Skills and Experience Required:
Deep understanding of OWASP Top 10 and CWE 25; with proven track record and experience in implementing and integrating remediation strategies
Excellent understanding of web applications, web servers, layer 7 application technologies, frameworks and protocols with respect to application development and deployment
Well versed in web application design, penetration testing, application risk assessment and risk categorisation
Well versed (experience preferred) with driving and implementing secure development practices in to SDLC (SSDLC); ability to successfully integrate security into a developers world
Success in implementing effective Secure SDLC frameworks across a large corporation.
Ability to effectively present and communicate security threats and risks to any audience and impress upon them the mitigation techniques and strategies
Familiar with waterfall and agile development processes and have experience integrating secure development practices into both models.
Familiar with code management system (e.g.: BitBucket), CI/CD system (e.g.: Jenkins), Docker, Kubernetes, microservice architecture, OAuth 2.0, OpenID Connect.
Deep knowledge and experience in using SAST, DAST, IAST, SCA and fuzz testing tools
Solid problem solving and analytical skills; able to quickly digest any issue/problem encountered and recommend an appropriate solution.
Self-motivated; able to work independently; able to negotiate and bring consensus to diverse priorities of product development and solution teams.
Software development domain and principles, including design patterns, code structure, programming languages, continuous integration (Bitbucket), continuous deployment (Jenkins), and deployment orchestration (Puppet, Ansible, or equivalent)
Knowledge of RESTful web services (client – server application)
Hands on knowledge of Automation skills, Dev-Ops skills etc.
Experience with Network assessment tools and Exploitations (e.g., Kali Framework, Qualys Guard, Nessus, Nexpose, Nmap, Metasploit, Saint)
Experience in performing static code review (e.g., Checkmarx, HP Fortify, HCL Appscan Source)
Experience in at least 2 scripting languages such as Python, Perl, PHP, Ruby etc.
Capable to assess an application using OWASP, OSSTMM, CESG, CREST, NIST, ISSAF, PTES methodologies
Knowledge of standard SDLC practices and flexible to work on Agile Module
Minimum of 3 years work experience in application and network security
Experience with high level programming languages (e.g., Java, C, C++, .NET (C#, VB)) and DAST code review will be an add-on
Knowledge of operating systems preferably Windows / Linux / UNIX and network equipment’s.
Experience in mentoring, coaching staff and ability to lead teams under demanding circumstances to accomplish project team objectives.
Qualifications
Qualification Required: Bachelor/Master Degree in either Computer Engineering or Information science
Certification preferred: OSCP, CEH, ECSA, CPT, LPT
Minimum experience: 10+ years in the domain of Product security.
At least 3 years experience in leading a team.
* Salary range is an estimate based on our InfoSec / Cybersecurity Salary Index 💰
Tags: Agile Analytics Ansible Application security Audits Automation Bitbucket C CEH Checkmarx CI/CD Cloud Compliance CREST DAST Docker ECSA Generative AI IAST Incident response Java Jenkins Kali Kubernetes Linux Metasploit Nessus Network security NIST Nmap OpenID OSCP OWASP Pentesting Perl PHP Product security Puppet Python Qualys Risk assessment Ruby SaaS SAST Scripting SDLC Security strategy SSDLC Strategy UNIX Vulnerabilities Windows
Perks/benefits: Flex hours
More jobs like this
Explore more career opportunities
Find even more open roles below ordered by popularity of job title or skills/products/technologies used.