Responsibilities:
Application & Layer-7 Security

• Conduct web application penetration tests following OWASP methodologies (OWASP Top 10, API Security Top 10).
• Identify vulnerabilities such as injection flaws, authentication bypass, insecure deserialization, access control weaknesses, and misconfigurations.
• Perform manual and automated testing using tools like Burp Suite, OWASP ZAP, Nikto, and custom scripts.
• Assess and support the secure configuration of web servers, APIs, and middleware (e.g., Nginx, Apache, Tomcat, IIS).
• Collaborate with developers and DevOps teams to analyze code-level security issues and promote secure SDLC practices.
• Review application security controls including authentication, session management, input validation, and encryption.
• Conduct application-layer threat modeling and risk assessments.
• Evaluate containerized and microservice-based environments (Docker, Kubernetes) for security best practices.

Infrastructure & Network Security

• Perform security assessments on servers, databases, and network devices (e.g., routers, firewalls, VPNs, access points).
• Identify vulnerabilities from patching gaps, misconfigurations, and outdated software components.
• Review the security posture of antivirus, patch management, asset inventory, and PAM solutions.
• Conduct internal security audits aligned with frameworks such as CIS, MITRE ATT&CK, and ISO 27001.
• Utilize vulnerability scanners (e.g., Nmap, Nessus, OpenVAS) and traffic analysis tools (Wireshark, Tcpdump) to assess network health.
• Support system hardening using tools such as Lynis, MS SCT, AuditD, and STIG benchmarks.

Reporting & Collaboration

• Prepare comprehensive security reports detailing findings, risk analysis, and prioritized remediation steps.
• Deliver both executive-level summaries and technical documentation for development and infrastructure teams.
• Work closely with DevOps, IT, and Operations teams to ensure consistent remediation and continuous improvement.
• Requirements:
• Strong understanding of web application security and layer-7 penetration testing.
• Familiarity with OWASP, CIS Controls, and MITRE ATT&CK frameworks.
• Proficiency with security testing tools:
• Application: Burp Suite, OWASP ZAP, Nikto, Metasploit (community)
• Infrastructure: Nmap, OpenVAS, Nessus, Hydra, Enum4linux
• Knowledge of network and traffic analysis tools: Wireshark, Tcpdump.
• Experience with Docker and Kubernetes security configurations.
• Exposure to patch management tools (ManageEngine, WSUS).
• Practical knowledge of system hardening and compliance tools (Lynis, AuditD, Debsecan).
• Strong reporting, analytical, and documentation skills.
• Collaborative mindset and ability to communicate effectively with both technical and non-technical stakeholders.