About the Role
Key Responsibilities:
• API Security Design and Implementation:
o Design and implement secure API architectures by incorporating
authentication, authorization (OAuth 2.0, JWT, etc.), and encryption
mechanisms.
o Enforce API security best practices including rate limiting, input validation,
logging, and auditing.
o Secure external API integrations and manage API gateways for secure traffic
management.
o Thorough understanding of OWASP top 10 API Risks and OWASP REST API Cheat
sheet. Identify common proactive controls for applications (e.g., Open Web
Application Security Project (OWASP))
o Good understanding of OAuth2.0 & OIDC standards
o Expertise in designing security for APIs architecture styles (like REST, Webhooks,
WebSocket, GraphQL, gRPC, MQTT) and microservices architectures in cloudnative environments (AWS, Azure, GCP, OCI).
• Microservices Security Architecture:
o Architect and implement secure microservices that utilize containerization
(e.g., Docker) and orchestration (e.g., Kubernetes) with a focus on service-toservice authentication, service mesh security, and east-west traffic
protection.
o Apply Zero Trust principles to microservices, ensuring network segmentation,
secure communication (mTLS), and secret management (e.g., HashiCorp Vault).
• Threat Modeling and Risk Assessments:
o Perform threat modelling (e.g., STRIDE, PASTA) for critical applications to
identify vulnerabilities and recommend appropriate security controls.
o Conduct architectural risk assessments on new and existing systems to
identify and prioritize risks, integrating security by design.
o Utilize any static tools such as OWASP Threat Dragon or Microsoft Threat
Modeling Tool or any other automated Threat Modeling tools for systematic risk
analysis and mitigation strategies.
o Having clear understanding of risk factors, risk related concepts and risk
assessment.
• Secure Software Development:
o Champion Secure Development Lifecycles (SDLC), ensuring security is
embedded in every stage from design to deployment. Drive and maintain
security throughout the entire Software Development Life Cycle.
o Integrate Software Development Life Cycle (SDLC) with application security
architecture (e.g., Requirements Traceability Matrix (RTM), security architecture
documentation, secure coding)
o Define and enforce secure coding standards (e.g., OWASP Top 10, SANS Top
25, OWASP Cheat Sheet series) across development teams.
o Integrate security automation in the CI/CD pipelines, leveraging tools for Static
Application Security Testing (SAST), Dynamic Application Security Testing
(DAST), and Software Composition Analysis (SCA).
o Depending on the area of work, perform evaluation and selection of the
components, design of hardware, software, process and service components of
the solution, assurance of deployment architectures, and guide secure
engineering practices in development.
• Cloud and Container Security:
o Determine application security capability requirements and strategy (e.g., open
source, Cloud Service Providers (CSP), Software as a Service
(SaaS)/Infrastructure as a Service (IaaS)/ Platform as a Service (PaaS)
environments)
o Able to assess cloud-native application architectures with a focus on security
o Design and implement security controls for cloud-native applications using
secure deployment frameworks such as Infrastructure as Code (IaC), ensuring
proper configuration of AWS, Azure, or GCP environments.
o Deep expertise either with AWS or Microsoft Azure security. Cloud security
compliance, cloud data security, cloud threat and incident management, WAF,
VPC Security controls, Security log management
o Design and develop security architectures for cloud and cloud/hybrid-based
systems.
o Exposure to Kubernetes, container security, network security, virtualization
• Identity and Access Management (IAM):
o Detailed technical knowledge of techniques, standards and for authentication /
authorization / identity-management (SSO/OAuth/OpenID/RBAC/ABAC etc)
o Ensure multi-factor authentication (MFA) and role-based access control
(RBAC) are applied to sensitive components and APIs.
• Third-Party and Supply Chain Security:
o Assess and secure the software supply chain by conducting third-party security
assessments on libraries, frameworks, and external services used in the
application ecosystem.
o Implement processes for verifying Software Bill of Materials (SBOM) and
ensure secure use of open-source components through regular security
patching and auditing.
Qualifications:
• Post graduate or Graduate in computer science, Information Security, or a related field.
• A minimum of 10+ years of experience in application security architecture and secure
software development.
• Knowledge of security standards such as OWASP Top 10 (Web, API, CI/CD), NIST CSF
2.0, NIST (SP800-218, SP800-37, SP800-53r5, SP800-161), ISO, SOC 2, GDPR, and PCI
DSS, CIS Controls.
• Relevant cybersecurity certifications such as CSSLP, CISSP, CCSP, or AWS Certified
Security - Specialty and other similar cloud security certifications are a plus.
Requirements
Key Responsibilities:
• API Security Design and Implementation:
o Design and implement secure API architectures by incorporating
authentication, authorization (OAuth 2.0, JWT, etc.), and encryption
mechanisms.
o Enforce API security best practices including rate limiting, input validation,
logging, and auditing.
o Secure external API integrations and manage API gateways for secure traffic
management.
o Thorough understanding of OWASP top 10 API Risks and OWASP REST API Cheat
sheet. Identify common proactive controls for applications (e.g., Open Web
Application Security Project (OWASP))
o Good understanding of OAuth2.0 & OIDC standards
o Expertise in designing security for APIs architecture styles (like REST, Webhooks,
WebSocket, GraphQL, gRPC, MQTT) and microservices architectures in cloudnative environments (AWS, Azure, GCP, OCI).
• Microservices Security Architecture:
o Architect and implement secure microservices that utilize containerization
(e.g., Docker) and orchestration (e.g., Kubernetes) with a focus on service-toservice authentication, service mesh security, and east-west traffic
protection.
o Apply Zero Trust principles to microservices, ensuring network segmentation,
secure communication (mTLS), and secret management (e.g., HashiCorp Vault).
• Threat Modeling and Risk Assessments:
o Perform threat modelling (e.g., STRIDE, PASTA) for critical applications to
identify vulnerabilities and recommend appropriate security controls.
o Conduct architectural risk assessments on new and existing systems to
identify and prioritize risks, integrating security by design.
o Utilize any static tools such as OWASP Threat Dragon or Microsoft Threat
Modeling Tool or any other automated Threat Modeling tools for systematic risk
analysis and mitigation strategies.
o Having clear understanding of risk factors, risk related concepts and risk
assessment.
• Secure Software Development:
o Champion Secure Development Lifecycles (SDLC), ensuring security is
embedded in every stage from design to deployment. Drive and maintain
security throughout the entire Software Development Life Cycle.
o Integrate Software Development Life Cycle (SDLC) with application security
architecture (e.g., Requirements Traceability Matrix (RTM), security architecture
documentation, secure coding)
o Define and enforce secure coding standards (e.g., OWASP Top 10, SANS Top
25, OWASP Cheat Sheet series) across development teams.
o Integrate security automation in the CI/CD pipelines, leveraging tools for Static
Application Security Testing (SAST), Dynamic Application Security Testing
(DAST), and Software Composition Analysis (SCA).
o Depending on the area of work, perform evaluation and selection of the
components, design of hardware, software, process and service components of
the solution, assurance of deployment architectures, and guide secure
engineering practices in development.
• Cloud and Container Security:
o Determine application security capability requirements and strategy (e.g., open
source, Cloud Service Providers (CSP), Software as a Service
(SaaS)/Infrastructure as a Service (IaaS)/ Platform as a Service (PaaS)
environments)
o Able to assess cloud-native application architectures with a focus on security
o Design and implement security controls for cloud-native applications using
secure deployment frameworks such as Infrastructure as Code (IaC), ensuring
proper configuration of AWS, Azure, or GCP environments.
o Deep expertise either with AWS or Microsoft Azure security. Cloud security
compliance, cloud data security, cloud threat and incident management, WAF,
VPC Security controls, Security log management
o Design and develop security architectures for cloud and cloud/hybrid-based
systems.
o Exposure to Kubernetes, container security, network security, virtualization
• Identity and Access Management (IAM):
o Detailed technical knowledge of techniques, standards and for authentication /
authorization / identity-management (SSO/OAuth/OpenID/RBAC/ABAC etc)
o Ensure multi-factor authentication (MFA) and role-based access control
(RBAC) are applied to sensitive components and APIs.
• Third-Party and Supply Chain Security:
o Assess and secure the software supply chain by conducting third-party security
assessments on libraries, frameworks, and external services used in the
application ecosystem.
o Implement processes for verifying Software Bill of Materials (SBOM) and
ensure secure use of open-source components through regular security
patching and auditing.
Qualifications:
• Post graduate or Graduate in computer science, Information Security, or a related field.
• A minimum of 10+ years of experience in application security architecture and secure
software development.
• Knowledge of security standards such as OWASP Top 10 (Web, API, CI/CD), NIST CSF
2.0, NIST (SP800-218, SP800-37, SP800-53r5, SP800-161), ISO, SOC 2, GDPR, and PCI
DSS, CIS Controls.
• Relevant cybersecurity certifications such as CSSLP, CISSP, CCSP, or AWS Certified
Security - Specialty and other similar cloud security certifications are a plus.
About the Company
Cigres Technologies Private Limited is a technology consulting and services company that focuses on helping clients resolve their significant digital problems and enabling radical digital transformation using multiple technologies on premise or in the cloud. The company was founded with the goal of leveraging cutting-edge technology to deliver innovative solutions to clients across various industries.