Senior Security Analyst

About us:

HappyFox is a software-as-a-service (SaaS) support platform. We offer an enterprise-grade help desk ticketing system and intuitively designed live chat software.

 

We serve over 12,000 companies in 70+ countries. HappyFox is used by companies that span across education, media, e-commerce, retail, information technology, manufacturing, non-profit, government and many other verticals that have an internal or external support function.

 

To know more, Visit! - https://www.happyfox.com/

 

Responsibilities:

• Perform manual and automated application penetration tests and provide suggestions to harden our products
• Participate regularly in the development and release process to identify and report security vulnerabilities in the code being shipped
• Conduct regular audits on all Features/APIs of the product and reports vulnerabilities to the development team
• Keep up with industry trends in the security space
• Triage inbound vulnerability reports with an appropriate level of urgency and track them until they are resolved by Engineering teams
• Should be able to understand different elements of our NodeJS, Python and similar stacks and provide guidance on secure software development practices to the team
• Scale our application security engineering team

 

Requirements:

• Strong verbal and written communication skills
• Has worked on Web Application Security Testing for a reasonably complex application. The mobile experience is a plus
• Good knowledge of secure software development guidelines from authoritative bodies like NIST, OWASP, SANS
• Hands-on experience in performing manual/automated security assessments with open-source/commercial security tools

 

This profile will include following responsibilities:

 

- Perform Web Application Security Testing

- Perform Mobile Application Security Testing

- Scan Network for Security Vulnerabilities

- Co-ordinate with the clients for Project related queries

- Undertake meeting with the client teams for discussing security issues and recommendations

- Create detailed security reports

- Keep track of project progress & send regular updates

- Research on Open source security tools & new security topics

- Create Security Knowledge base for the team

The candidate should be we well versed with application security concepts, including the mitigation techniques:

• Web Application Security – OWASP Top 10
• Mobile Application Security – Mobile OWASP Top 10
• Threat Modelling
• Risk Rating Frameworks
• Web Traffic Interception (For Web/Mobile apps)
• SSL
• Network Concepts
• Web Development Basics - HTTP/HTML/JavaScript
• Basic Mobile Application Concepts (either Android or IOS)

About Drip Capital & Tech Team

The engineering team at Drip Capital is responsible for building and maintaining the online global trade financing platform that supports the interactions between buyers, sellers, financing partners, insurance agents, global retail partners, trade agents, shipping & transportation companies, supply chain and warehousing companies worldwide. 

Our primary goal is to ensure that customers are provided time-critical capital and at the same time balance requirements related to risk, fraud management, and compliance. The services are accessed by customers worldwide and hence the engineering systems need to be policy-driven, easily reconfigurable, and able to handle multiple regional languages. We use machine learning for risk classifications/predictions, intelligent document parsing subsystems, robotic process automation, REST APIs to connect our microservices, and a cloud-based data lake and warehouse for data storage and analysis.

Our team comprises talent from top-tier institutions including Wharton, Stanford, and IITs with years of experience at companies like Google, Amazon, Standard Chartered, Blackrock, and Yahoo. We are backed by leading Silicon Valley investors - Sequoia, Wing, Accel, and Y Combinator. We are a global company headquartered in Silicon Valley along with offices in India and Mexico.

Your Role 

As an AppSec Engineer in Drip Capital’s engineering team, you will have the opportunity to take ownership of :

• Contribute to and improve secure SDLC practice
• Design architecture, methods, and controls required to meet security, compliance, and audit requirements.
• Designing and implementing cloud and network security solutions.
• Do comprehensive threat modelling for our applications and infrastructure in an Agile flow
• Perform secure code review and security assessments of web, android and iOS applications, and cloud infrastructure (infrastructure as code).
• Proactively identify vulnerabilities across our platform and work with developers in fixing them.
• Automate and simplify security, as “Complexity is the enemy of Security”.
• Handle Vulnerability Management and Patch Management processes.
• Participate in the investigation related to Privacy/Security incidents and response activities.
• Work with DevOps to implement the security tools and automation of the security tasks.
• Mentor other engineers and evangelize security practices through cross-functional work with DevOps and engineering teams.
• Testing the deployed security solutions to make sure they function as planned.

Our Checklist 

• A minimum of 4 years of experience as an AppSec Engineer
• Hands-on experience in secure design and architecture review of backend services, payments systems like payment gateways.
• Hands-on experience in secure code review and automation of common security workflows.
• Hands-on experience and a proven record of securing one or more of the cloud platforms: Azure, GCP, AWS and Hosted Cloud Solutions.
• Good understanding of OWASP and SANS testing methodologies.
• Good understanding of software security weaknesses and vulnerabilities.
• Good knowledge in securing architecture of web, mobile applications and cloud infrastructure.
• Ability to contribute as an individual and as part of a team
• Working knowledge of any scripting language; Python or Go preferred
• Experience in writing custom tools/scanners/extenders is a plus
• Red teaming experience is a plus

If you love to explore the security aspects of a distributed system that makes decisions related to global trade finance, let's talk!

WAF (Web Application Firewall) profile with experience in Application Security .

Operations and Technical Advice

Monitoring applications over WAF for Security incidents (24*7 Service Window)
WAF Implementation,  and Day-to-Day Task ,Application Integration, Testing ,Learning ,Blocking , Migrations.
Application Security Understanding,Creating, modifying, or implementing policies or rules.
Add, remove, and modify, update security policy parameters and attack signatures policies as per Airtel Africa business requirement and standard practices
Understanding of Network Protocol
Hand-on  Packet Capture /Analyser
Perform WAF signature & hotfix updates.
Quarterly review the created Policy/Rule with Client
Respond to Ticket management tool requests for WAF Incidents, Changes, and Services.
Coordinate with OEMs for product related issues and bugs
Integrate SIEM & monitoring tool with WAF virtual appliances
Upgrading the Radware OS version from N to N-1 shall be considered based on the criticality of discovered vulnerabilities during the VA scan.
Assist the Client  team in mitigating vulnerabilities or observations reported during security audits, VA&PT, and regulatory technology audits (internal, external, and concurrent) for and in WAF
Analyse security breaches, make required changes/additions, and report RCA for any WAF security incident
Support Window 24X7 ,

We are seeking a Security Program Manager to effectively drive Privacy & Security Programs in collaboration with cross functional teams. You will partner with engineering leadership, product management and development teams to deliver more secure products.

 

Roles & Responsibilities:

• Work with multiple stakeholders across various departments such as IT, Engineering, Business, Legal, Finance etc to implement controls defined in policies and processes.
• Manage projects with security and audit requirements with internal and external teams and serve as a liaison among all stakeholders.
• Managing penetration tests and security reviews for core applications and APIs.
• Identify, create and guide on privacy and security requirements considering applicable Data Protection Laws and implement them across software modules developed at Netmeds.
• Brainstorm with engineering teams to figure out how privacy and security controls can be applied to Netmeds tech stack.
• Coordination with Infra Teams and Dev Teams on DB and application hardening, standardization of server images / containerization.
• Assess vendors' security posture before onboarding them and after they qualify, review their security posture at a set frequency.
• Manage auditors and ensure compliance for ISO 27001 and other data privacy audits.
• Answer questions or resolve issues reported by the external security researchers & bug bounty hunters.
• Investigate privacy breaches.
• Educate employees on data privacy & security.
• Prioritize security requirements based on their severity of impact and product roadmap.
• Maintain a balance of security and business values across the organisation.

 Required Skills:

• Web Application Security, Mobile Application Security, Web Application Firewall, DAST, SAST, Cloud Security (AWS), Docker Security, Manual Penetration Testing.
• Good hands-on experience in handling tools such as vulnerability scanners, Burp suite, patch management, web filtering & WAF.

• Familiar with cloud hosting technologies (ex. AWS, Azure). Understanding of IAM, RBAC, NACLs, and KMS.

• Experience in Log Management, Security Event Correlation, SIEM.
• Must have strong interpersonal skills and should be able to communicate complex ideas seamlessly in written and verbal communication.

 

Good to Have Skills:

• Online Fraud Prevention.
• Bug Bounty experience.
• Security Operations Center (SOC) management.
• Experience with Amazon AWS services (EC2, S3, VPC, RDS, Cloud watch).
• Experience / Knowledge on tools like Fortify and Nessus.
• Experience in handling logging tools on docker container images (ex. Fluentd).

Job Description Roles and Responsibilities: • Exploit security flaws and vulnerabilities with attack simulations on multiple application platforms like Android, iOS and Web. • Ability to flow from black box to grey box to white box tests. • Ability to effectively work with the engineering teams to provide technical risk. assessment of technologies in networks, applications, code reviews in the release management cycle. • Ability to perform vulnerability assessments and penetration testing, utilizing tools - commercial and open source. • Perform, review and analyze security vulnerability data to identify applicability and false-positives. • Conduct penetration testing in line with Open Web Application Security Project (OWASP) • Write technical reports that include suggested resolution for identified problem areas and perform operational risk assessment. Required Skills and Abilities: • OWASP top 10 • Security Pen Testing methodologies including automated scans and manual methods • Tools including Burp, Nexpose, NMap, Whois etc. is a plus • Good Hands-On with Linux Debian Flavors and security hardening of the same • Understanding of Web Servers and HTTP 1.0/1.1 Protocol • Troubleshooting web servers like Apache, Nginx and other reverse proxy platforms • Basic understanding of NodeJS, Python and JAVA • TCP/IP networking including IP classes, subnets, NAT • SSL Handshake and Certificates - Understanding • DNS, and DHCP, Network troubleshooting • Remote access methods • Backup and disaster recovery methodologies • Network analysis tools • Good Hands-on using Linux Debian Flavors • Experience with security issues in Cloud Technologies (AWS) is a plus • Ability to grasp new technology concepts quickly • Good documentation skills • Ability to work in a team environment and interact with people • Knowledge and understanding of basic information security principles • Should be aware of the latest Major Application Zero-day vulnerabilities • Should be able to understand security alerts and take necessary actions accordingly Education and Experience: • Bachelor’s degree in information technology related field

Requirements:

• Overall experience in the field of Information risk and security related initiatives/ projects.
• Experience in the areas of Infrastructure Security Audit, IT Security, Vulnerability Assessment, Risk Assessment, Web Application Security, Network Security Review, Network Architecture Review, Mobile Application Security Testing, Configuration Review, Source Code Review, Wireless Pentest, Process Review etc.
• Ability to understand business concepts and integrate business risk elements into security operations.
• Experience in conducting VAPT.
• Experience with web application vulnerability scanning tools (e.g., IBM AppScan, HP Web inspect, Acunetix, NTO Spider, BurpSuite Pro).
• Strong ethics and understanding of ethics in business and information security.
• Should have exposure to Code review, Network VA/PT and App VA/PT work.
• Understanding and familiarity with common code review methods and standards.
• Experience with code scanning toolsets such as Fortify and Ounce.
• Understanding of HTTP and web programming.
• Knowledge of OWASP tools and methodologies, common security requirements within ASP.NET application, standard SDLC practices.
• Knowledge of Network Security technology in areas of Firewall, IPS, VPN, Gateway security solutions (proxy, web filtering).
• In-depth understanding on Common Vulnerability Exposure (CVE)/ Cert advisory database.