Professional Summary
A seasoned AppSec Lead focuses on establishing security roadmaps, leading incident responses, and mentoring developers in secure coding practices. They are the "security design authority" for an organization's applications, balancing rapid delivery with robust risk mitigation.
Key Responsibilities
Strategic Security Roadmaps
: Define and maintain the long-term application security strategy and backlog to address evolving threat scenarios.
Secure SDLC Integration
: Embed security controls—such as SAST, DAST, and SCA—into the development lifecycle to proactively identify vulnerabilities.
Design Authority
: Act as the primary decision-maker for application access, IAM standards (RBAC, MFA, SSO), and security architecture.
Incident & Risk Management
: Lead technical responses to data breaches, conduct post-mortems, and implement new protocols to reduce future risk.
Governance & Compliance
: Ensure applications meet regulatory requirements, such as the EU AI Act, and provide evidence for audits.
Developer Mentorship
: Guide engineering teams on secure coding practices like input validation and proper error handling.
Essential Skills
Application Security & SDLC
- Conduct and manage SAST, DAST, IAST, and SCA scans across applications.
- Perform and support threat modeling for applications and services
- Perform secure design and architecture reviews for applications, APIs, and microservices.
- Embed security checkpoints across requirements, design, build, test, and release phases.
- Provide secure code review support and hands-on remediation guidance.
- Embed application security across the SDLC in collaboration with development and DevOps teams along with proactive remediation.
Vulnerability Assessment & Penetration Testing
- Conduct internal and external VAPT for web, mobile, and API applications.
- Perform advanced manual testing using Burp Suite, and custom test cases.
- Validate scanner findings, eliminate false positives, and retest fixes.
- Provide actionable remediation guidance to address identified vulnerabilities.
- Track vulnerabilities and ensure closure within defined SLAs
- Test for business logic, access control, and API security vulnerabilities.
DevSecOps & CI/CD Security
- Integrate security tools into CI/CD pipelines (Jenkins, GitHub, GitLab).
- Implement security quality gates to block critical vulnerabilities.
- Secure pipelines, secrets, artefacts, and third-party dependencies.
- Automate vulnerability tracking via JIRA or Azure Boards.
Vulnerability & Risk Management
- Own end-to-end vulnerability lifecycle management.
- Define and enforce remediation SLAs based on risk.
- Maintain and track overall application security posture across the application portfolio
- Perform risk-based prioritization considering exploitability and business impact.
- Produce dashboards and reports for management visibility.
Audit, Compliance & Governance
- Ensure alignment with OWASP Top 10, OWASP ASVS, NIST, and ISO 27001, CMMI Security and customer security audits.
- Manage and coordinate resolution of application security incidents raised across internal teams and external stakeholders.
- Maintain application security artefacts including risk and scan reports.
- Perform impact analysis, root cause analysis (RCA) for application security incidents and define corrective and preventive actions (CAPA)
- Participate in risk assessments for new features and integrations.
Collaboration & Enablement
- Work closely with developers, DevOps, and product teams to embed security controls and work on remediation of identified vulnerabilities.
- Develop secure coding guidelines and reusable remediation playbooks.
- Explore automation and AI capabilities to scale application security testing and reporting.
- Leverage AI‑assisted security tools to improve vulnerability triage, prioritisation, and remediation guidance.
- Drive a shift-left security culture within agile teams.
Required Qualifications
- Bachelor’s degree in Computer Science, Information Security, or related field.
- Total 6+ years and Relevant 4-5 years of hands-on experience in Application Security, VAPT along with SAST/DAST tools.
Technical Skills
- Strong secure coding knowledge (Java, Python, JavaScript).
- Hands-on with Checkmarx, Snyk, Veracode, CodeQL.
- API security, OAuth2, JWT, and cloud security fundamentals.
- Familiarity with CI/CD tools and DevSecOps practices
- Knowledge of API security, VAPT and modern application architectures
- Experience with AWS, Azure, or GCP environments.
Preferred Certifications
- CEH, OSCP (Good to have).
