Key Responsibilities
Security Testing Governance & Standardisation
- Security Testing Standards: Define, implement, and continuously enhance the organisation-wide security testing framework, including Vulnerability Assessment and Penetration Testing (VAPT).
- Operational Guidance: Develop and maintain Standard Operating Procedures (SOPs) to guide project teams in engaging external security vendors and managing internal testing lifecycles.
- Quality Assurance: Establish quality rubrics and assessment criteria to evaluate penetration testing outcomes. Conduct periodic sampling and reviews of testing reports and engagements to ensure consistency, rigour, and effectiveness.
- Red Teaming & Deep-Dive Testing: Lead and execute advanced Red Team exercises and in-depth penetration tests on high-impact and mission-critical systems.
- Adversary Simulation: Apply current knowledge of adversary tactics, techniques, and procedures (TTPs) to simulate real-world attack scenarios and identify gaps in prevention, detection, and response.
- Threat Landscape Monitoring: Continuously monitor emerging threats and evolving attacker behaviours, assess their impact on the existing security posture, and translate insights into updated testing standards and priorities.
- Secure Coding Standards: Define and promote secure coding guidelines aligned with recognised industry best practices to embed security from the earliest stages of development.
- Source Code Security Strategy: Lead the approach for Static Application Security Testing (SAST) and Software Composition Analysis (SCA), including the evaluation and adoption of tools that automate the detection of vulnerabilities in source code and third-party components.
- DevSecOps Enablement: Advise on the integration of security tooling into CI/CD pipelines, supporting teams in adopting effective DevSecOps practices.
- Code Quality Oversight: Recommend and assess tools and practices that improve overall code quality, positioning security as a foundational element of clean, maintainable code.
- Technology Foresight: Stay abreast of emerging technologies such as cloud-native architectures and AI-assisted development, and recommend solutions that enhance application resilience and security maturity.
- Trusted Advisory: Act as a trusted advisor to senior technology leaders and project owners, promoting Secure-by-Design principles through consultative engagement.
- Community Building: Establish and support communities of practice to encourage knowledge sharing, alignment, and continuous improvement in security testing practices.
Experience
- Professional Background: 8–10 years of hands-on cybersecurity experience, with a strong focus on offensive security and application security.
- Technical Coverage: Proven experience conducting penetration testing across web applications, enterprise IT systems (on-premises and cloud), and complex network environments.
- Code Review Expertise: Demonstrated experience in performing both manual and automated source code reviews to identify logic flaws, injection vulnerabilities, and cryptographic weaknesses.
- Secure Development: Strong understanding of secure software development lifecycles (SSDLC) and the ability to analyse common programming languages such as Java, Python, .NET, and JavaScript.
- Security Tooling: Proficiency with enterprise-grade SAST, DAST, SCA, and VAPT tools (e.g. Checkmarx, Fortify, SonarQube, Snyk, Burp Suite).
- Offensive Security: Deep understanding of offensive testing methodologies, including familiarity with common adversary TTPs and attack frameworks.
- Cloud & DevOps: Practical experience with cloud environments and CI/CD platforms such as Jenkins, GitLab CI, or GitHub Actions.
- Certifications: Professional certifications such as OSCP, OSWE, CASE, or GWEB are highly desirable.
- Influence & Communication: Ability to articulate complex technical risks to non-technical stakeholders and influence outcomes without direct authority.
- Analytical Thinking: Strong capability to identify recurring weaknesses in testing results or code quality and translate insights into actionable improvements.
- Continuous Learning: Demonstrated commitment to staying current with the evolving cybersecurity threat landscape.
