Job Description

Application Security Engineer

Department: Global Analytics and Technology

Employment Type: Permanent - Full Time

Location: India

What you will be expected to do

• Own Application security responsibility for assigned business functions by performing threat modeling, architecture reviews, penetration testing, secure coding programs, and vulnerability management.
• Perform manual penetration testing and vulnerability assessments on web applications, APIs, and android mobile applications
• Perform security reviews for AI‑native products, models, pipelines, and inference services.
• Onboard applications into the SSDLC program and be a security point of contact for the application product.
• Own security incident response for product-layer issues, define remediation plans, and track fixes through to closure
• Integrate and tune SAST/DAST/IAST/SCA tools in CI/CD, create custom rules where needed and actively triage false positives.
• Review and harden cloud infrastructure — Kubernetes RBAC, pod security, network policies, Istio service mesh, Keycloak/OIDC configurations, and IAM across AWS, DigitalOcean, GCP, and Firebase
• Communicate vulnerabilities and risk clearly to developers, product managers, and leadership — in language that drives actionable results
• Conduct Application security trainings for engineers, product managers etc

You might be a strong candidate if you have/are

• 2–4 years of hands-on application security experience, ideally in product‑based or SaaS companies working directly with engineering teams.
• Solid understanding of OWASP Top 10, API Security Top 10, and common authorization flaws including BOLA, BFLA, and privilege escalation
• Familiarity with security compliance and data privacy frameworks relevant to fintech (SOC 2, PCI-DSS, GDPR, DPDP or similar) is an advantage

• Perform manually testing web apps, APIs, and Android apps, manual code reviews (beyond just running tools).
• Familiarity with OAuth2, OIDC, JWT, and typical misconfigurations in providers such as Keycloak and Firebase.
• Experience integrating and tuning SAST/DAST (and optionally SCA/IAST) tools within CI/CD pipelines.
• Exposure to cloud‑native security: Kubernetes, containers, service mesh (Istio mTLS and policies), and IAM concepts across at least one major cloud provider.
• Experience with Cloudflare WAF, perimeter security scanning, and/or red‑team testing is a plus.

• Familiarity with AI/LLM security risks (e.g., OWASP LLM Top 10).
• Practical experience implementing guardrails, prompt validation, output filtering, or other safety controls in production AI features, or assessing insecure use of third‑party AI APIs.

• Ability to script/automate (e.g., Python, Bash) to streamline testing, data collection, and reporting.
• Interest in or experience with building AI based security tools that improve coverage or reduce manual toil.

• Keep abreast of the latest security vulnerabilities and security trends
• Work in a low supervision environment with high accountability

1. Bachelor's degree in Computer Science, Cyber Security is preferred
2. At least 2 years of experience in the Application security domain.
3. Security certification such as OSCP, OSWE, GWAPT, GPEN, CRTP is preferred; active bug bounty participation is a strong plus
4. Outstanding communication and interpersonal skills, with the ability to engage effectively with diverse stakeholders.

What Sun King offers

• Professional growth in a dynamic, rapidly expanding, high-social-impact industry
• An open-minded, collaborative culture made up of enthusiastic colleagues who are driven by the challenge of innovation towards profound impact on people and the planet.
• A truly multicultural experience: you will have the chance to work with and learn from people from different geographies, nationalities, and backgrounds.
• Structured, tailored learning and development programs that help you become a better leader, manager, and professional through the Sun King Center for Leadership.