Position Summary:

The Product Security Engineer at Whatfix plays a critical role in ensuring the security of our applications, cloud services, and infrastructure. This role involves implementing and enforcing Secure Software Development Lifecycle (SSDLC) practices, conducting in-depth security assessments, and collaborating with development teams to remediate vulnerabilities. The engineer will be responsible for performing VAPT, security architecture reviews, and threat modeling while integrating security automation and best practices into the development process.

Additionally, the role includes coordinating external security assessments, managing bug bounty findings, conducting secure coding training, and working closely with GRC and TPRM teams to align security initiatives with compliance requirements. The ideal candidate will have expertise in application and API security, DevSecOps practices, and security testing tools, with a strong ability to communicate security risks and drive remediation efforts across engineering teams.

Job Description: 

• Implement and enforce Secure Software Development Lifecycle (SSDLC) practices across all Whatfix technology projects, ensuring security risks are effectively identified and mitigated throughout development.

• Conduct Vulnerability Assessment and Penetration Testing (VAPT) for SaaS applications, APIs, and cloud infrastructure, identifying security weaknesses and ensuring timely remediation in collaboration with development teams.

• Enhance application security by improving secure coding guidelines, integrating security automation, conducting developer training, and defining security metrics.

• Perform threat modeling using STRIDE to proactively identify security risks in the design phase and recommend effective mitigation strategies.

• Perform security architecture and design reviews, focusing on core security principles to enhance product security.

• Work closely with product and solution teams to achieve the objectives of the cybersecurity software security program.

• Conduct secure code reviews across various programming languages, identifying vulnerabilities and providing actionable recommendations for prevention and remediation.

• Perform both Manual and Automated Security Testing for identifying application vulnerabilities.

• Responsible for identifying security vulnerabilities, reporting issues, and collaborating with development teams to ensure timely remediation and closure.

• Responsible for coordinating and ensuring the successful execution of external VAPT assessments.

• Responsible for managing and assessing security issues reported through the bug bounty program, ensuring proper triage and remediation.

• Participate in both internal and external product security audits to ensure compliance and identify security improvements.

• Conduct and facilitate secure coding training sessions for engineering teams to enhance security awareness and best practices

• Collaborate with GRC and TPRM teams to align security initiatives with regulatory compliance, third-party risk management (TPRM), and security policies, ensuring adherence to industry standards & regulations such as GDPR, ISO 27001, SOC 2, and FedRAMP.

•  Ability to articulate and convey security threats and risks to diverse audiences, effectively emphasizing mitigation techniques and strategies

Skills:

• In-depth knowledge of OWASP Top 10 and CWE 25, with a proven track record of implementing and integrating effective remediation strategies.

• Possess a strong understanding of microservices, APIs, and web applications, including their security best practices and potential vulnerabilities.

• Deep knowledge and experience in using SAST, DAST, IAST, SCA and fuzz testing tools.

• Experience in threat modeling using STRIDE, identifying potential security risks and implementing effective mitigation strategies.

• Knowledge of RESTful web services (client – server application) 

• Hands-on experience with automation and DevSecOps practices to enhance security integration in development workflows.

• Proficiency in high-level programming languages such as Java and .NET, with additional expertise in DAST code reviews as a plus.

• Strong understanding of SDLC methodologies, with flexibility to work in Agile environments.

• Proven experience in providing technical oversight to project team members, ensuring engagement quality and adherence to security best practices.

• Familiarity with code management systems (e.g., BitBucket), CI/CD pipelines (e.g., Jenkins), containerization (Docker, Kubernetes), microservices architecture, and authentication frameworks like OAuth 2.0 and OpenID Connect.

• Well-versed in both waterfall and agile development models, with experience embedding secure development practices in both.

• Extensive experience in driving and implementing Secure SDLC (SSDLC) practices, ensuring seamless security integration into the development process.

• Proficient in at least two scripting languages, such as Python, Perl, PHP, or Ruby.

• Experience in performing static code analysis using tools like Checkmarx, Github advanced code security to identify security vulnerabilities.

Qualifications:

• Qualification Required: Bachelor/Master Degree in either Computer Engineering or Information science 

• Preferred certifications: OSCP, CEH, ECSA, or other industry-recognized security certifications.

• Minimum experience: 5–8 years of experience in Product Security