VAPT Engineer

Tata Elxsi is among the world’s leading providers of design and technology services across industries, including Automotive, Broadcast, Communications, and Healthcare. Tata Elxsi is helping customers reimagine their products and services through design thinking and the application of digital technologies such as IoT (Internet of Things), Cloud, Mobility, Virtual Reality, and Artificial Intelligence.

We are seeking a skilled VAPT Security Engineer with 7+ years of experience in Penetration Testing and Vulnerability Management (VAPT), DevSecOps, Security testing of Web applications, API and Mobile Apps – Android and iOS, IOT/Embedded Device.

Key Responsibilities:

• Conduct comprehensive vulnerability assessments and penetration tests on networks, systems, and applications.
• Utilize a variety of tools and techniques to identify vulnerabilities, such as networks canning, web application testing, and social engineering
• Perform controlled attacks (White-box, Grey-box, Black-box) on systems, networks, web applications and mobile apps to exploit identified vulnerabilities and assess their potential impact.
• Simulate real-world cyber-attacks to test the effectiveness of security controls and identify potential weaknesses.
• Document and report findings from penetration testing activities, including identified vulnerabilities, exploitation techniques, and potential impacts.
• Provide detailed recommendations and remediation strategies to address identified security weaknesses.
• Perform the security end to end security testing for Web application covers OWASP Top 10 and OWASP ASVS L2.
• Perform the security testing for Mobile apps – Android and iOS covering the OWASP Top Mobile vulnerabilities and OWASP MASVS standards
• Perform the security testing for IOT/Embedded devices with eSIM, Ethernet, USB, JTAG interfaces.
• Perform the end-to-end security testing for Backend APIs for Web applications and Mobile apps.
• Independently handle complex issues with minimal supervision, while escalating only the most complex issues to appropriate staff
• Perform the Performance testing for AWS Cloud platform.
• Utilize various open-source and commercial tools for vulnerability scanning and penetration testing (e.g., Nessus, Metasploit, Burp Suite).
• Maintain proficiency in computer network exploitation, tools, techniques, countermeasures, and trends in network security.
• Stay up to date with the latest security threats, vulnerabilities, and attack techniques to proactively identify potential risks and provide recommendations for mitigation.
• Implement Static Application Security Testing (SAST) to analyse source code for security vulnerabilities.
• Implement the Container Image scanning tools and collaborate with team to remediate security risk and vulnerabilities.
• Automation of security controls in CI/CD and security validation and testing: SAST, DAST, IAST, RASP, SCA
• Making improvement proposals and defining action plans to optimize security capabilities in DevOps environments to ensure software security.
• Collaboration with Internal and external stakeholders in adopting security requirements in cloud environments.
• Security assessments in container environments (Docker, Kubernetes) and Security implementation in IaC (Infrastructure as Code).
• Analysis of evidence in assessing the cybersecurity maturity based on the DevSecOps software development
• Preparation of technical and executive reports.
• Provide recommendations and guidance on secure coding practices to software development teams.
• Perform security configuration reviews and hardening of systems.
• Integrate security practices into the DevOps pipeline to ensure continuous security (DevSecOps).
• Perform reverse engineering of software and systems to identify potential attack vectors and develop exploits.
• Develop and execute security testing plans and methodologies.
• Conduct periodic security assessments to ensure compliance with security policies.
• Develop and implement effective mitigation strategies and countermeasures to address identified vulnerabilities.
• Perform the Threat modelling for applications as part of DevSecOps.
• Perform risk assessments and develop risk mitigation strategies.

Skills Required:

• Good understanding of application frameworks, security design patterns. 
• Hands-on experience in cloud security environments (AWS / Azure)
• Proficiency with security testing tools such as Nessus, Burp Suite, MobSF, SonarQube, Nmap, Metasploit, etc.
• Excellent understanding of web application architecture and Secure Software development life cycle (SSDLC)
• Knowledge of common vulnerabilities and exposures (CVEs).
• Hands-on experience in MITRE ATT&ACK and Cyber Kill Chain methodologies
• Experience with network security, data hiding, and encryption techniques.
• Expertise in scripting languages like Python, Bash, or PowerShell.
• Strong understanding of IT security standards and frameworks (e.g., OWASP, NIST, SANS Top 25, ISO 27001).
• Experience in performing the security testing using OWASP ASVS L2, MASVS.
• Experience with web technologies and web application security.
• Knowledge of mobile apps security.
• Document findings, methodologies, and recommendations in clear and concise reports.
• Strong knowledge of the OWASP, SANS top 25, WASC security Standards and detailed knowledge of common web application attack vectors such as SQL injection, CSRF, XSS, Session Management issues, Direct Object reference, Click jacking, buffer overflows, etc
• Should have knowledge, thorough understanding on various Threat Modelling frameworks and Risk Rating Standards such as STRIDE, CVSS etc
• Experience and knowledge of devsecops, integrations and onboarding of applications and tools into the CI/CD pipeline.
• Strong knowledge on Infrastructure as Code (IaC).
• Experience in offensive security, with the ability to think like an adversary
• Strong ability to identify and exploit security gaps/vulnerabilities on endpoint devices, applications, and networks
• Strong experience in operating system and application security hardening and best practices
• Experience conducting assessments for solutions consisting of a variety of technology stacks and architectural implementations and hosting providers
• Exposure and understanding of enterprise solutions from a functional and security perspective
• Ability to document and explain technical details in a concise, understandable manner
• Ability to identify and exploit web vulnerabilities (XSS, CSRF, SQLi, SSRF, arbitrary file upload, etc.)
• Ability to identify and exploit mobile vulnerabilities (API issues, insecure storage, memory corruption, SSL pinning, Jailbreak/rooted device, etc.)
• Knowledge on Secure coding practices
• Strong knowledge on Cryptography
• Strong analytical and problem-solving skills
• Excellent communication and teamwork skills.
• Relevant certifications (e.g., CEH, OSCP) preferred.