Application Security Engineer

Narayana Health (NH) is seeking a motivated and hands-on Application Security Analyst to join our technology arm, Athma SDC, in Bengaluru. This role is crucial for ensuring the security of our next-generation healthcare products. You will be responsible for conducting comprehensive Vulnerability Assessment and Penetration Testing (VAPT) for web and mobile applications, alongside supporting secure SDLC initiatives using SAST, SCA, DAST, and MAST methodologies. As a key member of our team, you will collaborate closely with development, DevOps, and product teams to proactively identify, validate, and remediate application security risks, contributing to our mission of making healthcare safe and affordable.

Key Responsibilities:

• Perform in-depth Web and Mobile Application VAPT to uncover security vulnerabilities, misconfigurations, and critical logic flaws.
• Conduct rigorous security testing leveraging SAST, SCA, DAST, and MAST tools and techniques.
• Manually validate findings to ensure accuracy, eliminate false positives, and assess real-world exploitability.
• Execute specialized API security testing, focusing on authentication, authorization, business logic, and rate limiting.
• Partner with development teams to embed robust security controls throughout the Secure Software Development Lifecycle (SSDLC).
• Provide clear, actionable remediation guidance rooted in secure coding best practices.
• Map identified vulnerabilities to industry standards, including OWASP Top 10 (Web, API, Mobile) and MASVS.
• Assist in the development and maintenance of application security standards, testing procedures, and guidelines.
• Support ongoing re-testing and validation for the closure of identified vulnerabilities.
• Continuously stay abreast of emerging threats, novel attack techniques, and evolving application security trends.

Required Skills & Qualifications:

• Minimum of 3 years of hands-on experience in Application Security or Vulnerability Assessment and Penetration Testing (VAPT).
• Strong understanding of Web, API, and Mobile application architectures.
• Practical experience with VAPT tools, including proficiency with Burp Suite (Professional preferred) and OWASP ZAP.
• Experience with mobile testing tools such as MobSF, Drozer, or Frida is highly desirable.
• Solid knowledge of OWASP Top 10 (Web, API, Mobile) and common vulnerabilities (e.g., IDOR, Authentication issues, Business Logic flaws, Injection, XSS, CSRF).
• Experience working with SAST, SCA, and DAST tools (tool-agnostic understanding is acceptable).
• Proficiency in analyzing logs, HTTP traffic, and application behavior to identify security flaws.
• Excellent reporting skills, with the ability to articulate risks clearly to both technical and non-technical stakeholders.
• Good understanding of secure coding practices.

Good to Have:

• Experience with Mobile App Security Testing (Android/iOS).
• Exposure to CI/CD security integration.
• Familiarity with cloud application security basics (AWS/Azure).
• Knowledge of Threat Modeling concepts.
• Relevant Appsec-related training certifications.

Soft Skills:

• Strong analytical and problem-solving mindset.
• Effective communication and documentation skills.
• Ability to collaborate effectively with cross-functional teams.
• A proactive willingness to learn and adapt in a dynamic security landscape.