Team Lead - Application Security

Company Description

Metro Global Solution Center (MGSC) is internal solution partner for METRO, a €30.5 Billion international wholesaler with operations in 31 countries through 625 stores & a team of 93,000 people globally. Metro operates in a further 10 countries with its Food Service Distribution (FSD) business and it is thus active in a total of 34 countries.

MGSC, location wise is present in Pune (India), Düsseldorf (Germany) and Szczecin (Poland). We provide Finance, HR, IT & Business operations support to 31 countries, speak 24+ languages and process over 18,000 transactions a day. We are setting tomorrow’s standards for customer focus, digital solutions, and sustainable business models. For over 12 years, we have been providing services and solutions from our two locations in Pune and Szczecin. This has allowed us to gain extensive experience in how we can best serve our internal customers with high quality and passion. We believe that we can add value, drive efficiency, and satisfy our customers.

Website: https://www.metro-gsc.in

Company Size: 600-650

Headquarters: Pune, Maharashtra, India

Type: Privately Held

Inception:  2011

Job Description

Responsibilities

• Setup and lead application security team.
• Triage High/Critical findings & drive mitigation. (SAST, SCA, DAST, VDP).
• Identify, approve high severity True or False positive vulnerabilities.
• Support Product teams implementing SAST/SCA  in their  CI/CD pipelines.
• Support Product Teams with Application security expertise for best mitigation of findings.
• Provide generic application security consultancy.
• Identify security risks in application architecture and infrastructure, drive mitigations.
• Contribute to the target S-SDLC framework.
• Support application security team strategically and technically developing and improving the main pillars of application security.
• Support Security & Privacy Engineering Key activities.

Role Description

• The Application Security Tech Lead is responsible for setting up, leading and functionally steering a team of application security engineers.
• Contribute to ensure that each steps of SDLC used by software engineers across METRO is following best practices in term of information security and data privacy.
• Contribute to develop and maintain the needed technologies and processes to be included in CI/CD to include tollgates to secure that security control validations are automatically performed during development and deployment phases
• Support software engineer teams across METRO to address identified software vulnerabilities and weaknesses
• Serve as the technical authority, providing expert guidance to the security engineers where needed.

Technical & Soft Skills:

• In-Depth knowledge of application security technologies and tools such as SAST,SCA,DAST.
• Strong knowledge and skills in scripting, and development of automation in CI/CD.
• Good understanding of .git concepts and market leading vendors like GitHub, GitLab.
• Deep understanding of OWASP , ASVS is a must.
• Proficiency in concepts of vulnerability assessments and scans using automated tools (Qualys, Polaris, …)
• Understanding of common vulnerabilities and exposures (CVEs), Common Vulnerability Scoring System (CVSS), and vulnerability databases.
• Familiarity with vulnerability management frameworks and methodologies, such as the National Vulnerability Database (NVD) and the Common Vulnerability Enumeration (CVE) system.
• Excellent communication and interpersonal skills to effectively collaborate with clients, stakeholders, and internal teams.
• Proficient in producing reports, briefings, and presentations to communicate findings, trends, and recommendations to stakeholders.
• Strong organizational and time management skills with the ability to coordinate and prioritize multiple tasks simultaneously.
• Ability to work under pressure.

Qualifications

Qualifications & Experience

●Bachelor's degree in computer science, Information Technology, Cybersecurity, or a related field. A master's degree or relevant certifications (e.g., CISSP, CSSLP) may be preferred.

●Senior Engineer: 7+ years of relevant experience, preferably in an enterprise.

●Hands on DevSecOps experience.