Job Description

Role Summary

The Web Application & API Security Engineer will be responsible for protecting our clients' web applications and APIs by serving as the subject matter expert (SME) for our Web Application Firewall (WAF) service. This role requires a strong offensive security mindset to conduct comprehensive vulnerability assessments, translate findings into effective WAF rules, and continuously tune policies to maintain a robust defense against emerging threats.

Key Responsibilities

WAF Management & Rule Tuning

Design, implement, and manage

custom security policies and rulesets across various WAF platforms (e.g., Cloudflare, Akamai, AWS WAF, ModSecurity) for diverse client applications.

Proactively tune and optimize

WAF policies to minimize

False Positives (FPs)

while ensuring high-fidelity threat detection and blocking.

Conduct forensic analysis

of WAF logs and security events to identify new attack vectors, bypassed rules, and adjust mitigations accordingly. Stay current with the latest

CVEs and threat intelligence

and rapidly deploy compensating WAF controls.

Vulnerability Assessment (VA) & API Security

Perform

Vulnerability Assessments and light Penetration Testing

on client web applications and APIs to identify critical security flaws. Deeply understand and provide effective mitigation strategies for common vulnerabilities, including the

OWASP Top 10

and

OWASP API Security Top 10

. Evaluate and ensure the security of modern API architectures, including

REST and GraphQL

, focusing on authentication (e.g., OAuth, JWT), authorization (BOLA/BFLA), and proper data handling. Collaborate with application development and DevOps teams to advise on

secure coding practices

and security architecture improvements.

Automation & DevSecOps

Develop and maintain

scripts (Python, Bash)

for automating WAF deployment, configuration, and log analysis tasks. Leverage

SIEM and logging platforms

(e.g., Elastic Stack) to monitor WAF efficacy, generate security reports, and correlate events.

Required Qualifications and Skills

Foundational Expertise

4+ years of experience in an Application Security, Penetration Testing, or Security Engineering role.

Expert-level knowledge

of HTTP/HTTPS protocols, TCP/IP, and TLS/SSL. Proficiency with security tools such as

Burp Suite Professional

, OWASP ZAP, and various vulnerability scanners. Solid understanding of common attack techniques (SQLi, XSS, SSRF, Deserialization, XXE, Command Injection).

WAF & API Specific Skills (The Core)

Mandatory:

Proven hands-on experience in

writing, customizing, and tuning WAF rules

(e.g., ModSecurity/Coraza Rule Language, WAF custom policy language). Strong understanding of

API security mechanisms

and vulnerabilities (e.g., broken object level authorization - BOLA, excessive data exposure). Experience with

cloud security platforms

and WAF offerings in major environments (

AWS, Azure, GCP

).

Desirable (Nice-to-Have) Skills

Industry certifications such as

OSCP, CEH, CISSP, GWEB,

or relevant cloud certifications. Experience with

Bot Management

and Layer 7

DDoS mitigation

strategies. Familiarity with container security and microservices architecture. Experience in a

client-facing service provider

environment.
Job Type: Full-time

Pay: ₹600,000.00 - ₹1,000,000.00 per year

Work Location: In person