Application Security Architect - Threat Modeling & Risk Assessment

Job Title : Application Security Architect. Job Summary : Cigres is seeking a technically proficient Application Security Architect to lead and enhance the security posture of its applications and products. This role involves designing and implementing security solutions across modern application architectures, including Web application, APIs, microservices, and cloud-native platforms. The ideal candidate will be responsible for performing detailed threat modeling, securing API and microservice communications, and integrating security practices across the software development lifecycle (SDLC). Drive and maintain security throughout the entire Software Development Life Cycle. Key Responsibilities : API Security Design and Implementation : - Design and implement secure API architectures by incorporating authentication, authorization (OAuth 2.0, JWT, etc.), and encryption mechanisms. - Enforce API security best practices including rate limiting, input validation, logging, and auditing. - Secure external API integrations and manage API gateways for secure traffic management. - Thorough understanding of OWASP top 10 API Risks and OWASP REST API Cheat sheet. - Identify common proactive controls for applications (e., Open Web Application Security Project (OWASP)). - Good understanding of OAuth2.0 & OIDC standards. - Expertise in designing security for APIs architecture styles (like REST, Webhooks, WebSocket, GraphQL, gRPC, MQTT) and microservices architectures in cloudnative environments (AWS, Azure, GCP, OCI). Microservices Security Architecture : - Architect and implement secure microservices that utilize containerization (e., Docker) and orchestration (e., Kubernetes) with a focus on service-toservice authentication, service mesh security, and east-west traffic protection. - Apply Zero Trust principles to microservices, ensuring network segmentation, secure communication (mTLS), and secret management (e., HashiCorp Vault). Threat Modeling and Risk Assessments : - Perform threat modelling (e., STRIDE, PASTA) for critical applications to identify vulnerabilities and recommend appropriate security controls. - Conduct architectural risk assessments on new and existing systems to identify and prioritize risks, integrating security by design. - Utilize any static tools such as OWASP Threat Dragon or Microsoft Threat Modeling Tool or any other automated Threat Modeling tools for systematic risk analysis and mitigation strategies. - Having clear understanding of risk factors, risk related concepts and risk assessment. Secure Software Development : - Champion Secure Development Lifecycles (SDLC), ensuring security is embedded in every stage from design to deployment. - Drive and maintain security throughout the entire Software Development Life Cycle. - Integrate Software Development Life Cycle (SDLC) with application security architecture (e., Requirements Traceability Matrix (RTM), security architecture documentation, secure coding). - Define and enforce secure coding standards (e., OWASP Top 10, SANS Top 25, OWASP Cheat Sheet series) across development teams. - Integrate security automation in the CI/CD pipelines, leveraging tools for Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), and Software Composition Analysis (SCA). - Depending on the area of work, perform evaluation and selection of the components, design of hardware, software, process and service components of the solution, assurance of deployment architectures, and guide secure engineering practices in development. Cloud and Container Security : - Determine application security capability requirements and strategy (e., open source, Cloud Service Providers (CSP), Software as a Service (SaaS)/Infrastructure as a Service (IaaS)/ Platform as a Service (PaaS) environments). - Able to assess cloud-native application architectures with a focus on security. - Design and implement security controls for cloud-native applications using secure deployment frameworks such as Infrastructure as Code (IaC), ensuring proper configuration of AWS, Azure, or GCP environments. - Deep expertise either with AWS or Microsoft Azure security. - Cloud security compliance, cloud data security, cloud threat and incident management, WAF, VPC Security controls, Security log management. - Design and develop security architectures for cloud and cloud/hybrid-based systems. - Exposure to Kubernetes, container security, network security, virtualization. Identity and Access Management (IAM) : - Detailed technical knowledge of techniques, standards and for authentication / authorization / identity management (SSO/OAuth/OpenID/RBAC/ABAC etc) - Ensure multi-factor authentication (MFA) and role based access control. - (RBAC) are applied to sensitive components and APIs. Third-Party and Supply Chain Security : - Assess and secure the software supply chain by conducting third-party security assessments on libraries, frameworks, and external services used in the application ecosystem. - Implement processes for verifying Software Bill of Materials (SBOM) and ensure secure use of open-source components through regular security patching and auditing. Qualifications : - Post graduate or Graduate in computer science, Information Security, or a related field. - A minimum of 10 years of experience in application security architecture and secure software development. - Knowledge of security standards such as OWASP Top 10 (Web, API, CI/CD), NIST CSF 2.0, NIST (SP800-218, SP800-37, SP800-53r5, SP800-161), ISO, SOC 2, GDPR, and PCI DSS, CIS Controls. - Relevant cybersecurity certifications such as CSSLP, CISSP, CCSP, or AWS Certified Security Specialty and other similar cloud security certifications are a plus. (ref:hirist.tech)

Location: bangalore, IN

Posted Date: 1/14/2025