← All jobs
E

Lead Assistant Manager - Application Security

EXL

NoidaHigh payGreat Place to Work
Apply on EXL

Research EXL before you apply

Check ratings, real-employee reviews, verified pay, and interview difficulty.

Glassdoor reviewsRatings, pros/cons, CEO approvalAmbitionBoxIndia reviews, salaries, interviewsLevels.fyiVerified compensation by levelLinkedInPeople, growth, your connections

Key Responsibilities

Application Security Testing

  • Conduct manual and tool-assisted web application penetration testing (OWASP Top 10, business logic flaws, API vulnerabilities).
  • Perform mobile application security assessments for Android and iOS (static & dynamic analysis, reverse engineering, OWASP MASVS/MSTG).
  • Execute source code security reviews—both SAST-assisted and manual—across languages such as Java, Python, JavaScript/TypeScript, and others.
  • Participate in grey-box assessments and targeted red-team exercises against internal and client-facing applications.

DevSecOps Integration

  • Integrate and operate SAST, DAST, SCA, and container security tools within CI/CD pipelines (Jenkins, GitHub Actions).
  • Configure and tune security tooling to reduce false positives and enforce actionable pipeline quality gates.
  • Support IaC security reviews (Terraform, CloudFormation) and secrets management practices.
  • Collaborate with platform engineering to embed security controls in build and deployment workflows.

Vulnerability Management & Remediation

  • Triage, prioritise, and track vulnerabilities from discovery through verified closure.
  • Produce clear, developer-friendly reports with reproducibility steps, severity ratings, and remediation guidance.
  • Support development teams in understanding and fixing identified issues; re-test post-remediation.
  • Maintain internal vulnerability registers and risk-tracking artefacts.

Secure SDLC

  • Assist in threat modelling and secure design reviews for new features and services.
  • Promote secure coding standards and OWASP best practices across development teams.
  • Contribute to security champions programmes and developer awareness initiatives.
  • Assist in securing AI/GenAI applications and APIs following defined security patterns.

Qualifications

    • Skills & Qualifications

      Non-Negotiable – Must Have

    • 3–5+ years of hands-on experience in application security, penetration testing, or a closely related security engineering role.
    • Demonstrated web application penetration testing proficiency (Burp Suite Pro, OWASP methodology, manual exploitation).
    • Proven mobile application security testing experience for Android and/or iOS (MobSF, Frida, objection, drozer, APK/IPA analysis).
    • Practical source code review capability—ability to identify security defects through manual inspection and SAST tooling (Semgrep, SonarQube, Checkmarx, Veracode).
    • Familiarity with DevSecOps pipelines and security tool integration (SAST/DAST/SCA in CI/CD).
    • Solid understanding of vulnerability classes: injection, authentication flaws, IDOR, XXE, SSRF, deserialization, cryptographic weaknesses.

    • Scripting/automation capability for security tasks (Python, Bash, or equivalent).

      Good to Have

    • Certifications: eWPTX (eLearnSecurity), OSCP (Offensive Security), CEH, GWEB, GWAPT, or equivalent offensive security credentials.
    • Exposure to cloud security fundamentals (AWS/Azure/GCP—IAM, security groups, logging).
    • Knowledge of AI/GenAI security risks (OWASP LLM Top 10, prompt injection, model abuse).
    • Experience with API security testing (REST, GraphQL, gRPC).

    • Familiarity with compliance frameworks: OWASP ASVS, NIST, ISO 27001, PCI-DSS.

      Qualifications

    • Bachelor’s degree in Computer Science, Information Security, Engineering, or equivalent practical experience.
    • 3–5+ years of relevant experience in application security, penetration testing, or DevSecOps.
    • Offensive security certifications (eWPTX, OSCP, GWAPT, CEH, or equivalent) are a strong plus.