top of page

Application Security Architect

Bangalore, Karnataka, India

Job Type

Full Time

About the Role

Key Responsibilities:
• API Security Design and Implementation:
o Design and implement secure API architectures by incorporating
authentication, authorization (OAuth 2.0, JWT, etc.), and encryption
mechanisms.
o Enforce API security best practices including rate limiting, input validation,
logging, and auditing.
o Secure external API integrations and manage API gateways for secure traffic
management.
o Thorough understanding of OWASP top 10 API Risks and OWASP REST API Cheat
sheet. Identify common proactive controls for applications (e.g., Open Web
Application Security Project (OWASP))
o Good understanding of OAuth2.0 & OIDC standards
o Expertise in designing security for APIs architecture styles (like REST, Webhooks,
WebSocket, GraphQL, gRPC, MQTT) and microservices architectures in cloudnative environments (AWS, Azure, GCP, OCI).
• Microservices Security Architecture:
o Architect and implement secure microservices that utilize containerization
(e.g., Docker) and orchestration (e.g., Kubernetes) with a focus on service-toservice authentication, service mesh security, and east-west traffic
protection.
o Apply Zero Trust principles to microservices, ensuring network segmentation,
secure communication (mTLS), and secret management (e.g., HashiCorp Vault).
• Threat Modeling and Risk Assessments:
o Perform threat modelling (e.g., STRIDE, PASTA) for critical applications to
identify vulnerabilities and recommend appropriate security controls.
o Conduct architectural risk assessments on new and existing systems to
identify and prioritize risks, integrating security by design.
o Utilize any static tools such as OWASP Threat Dragon or Microsoft Threat
Modeling Tool or any other automated Threat Modeling tools for systematic risk
analysis and mitigation strategies.
o Having clear understanding of risk factors, risk related concepts and risk
assessment.
• Secure Software Development:
o Champion Secure Development Lifecycles (SDLC), ensuring security is
embedded in every stage from design to deployment. Drive and maintain
security throughout the entire Software Development Life Cycle.
o Integrate Software Development Life Cycle (SDLC) with application security
architecture (e.g., Requirements Traceability Matrix (RTM), security architecture
documentation, secure coding)
o Define and enforce secure coding standards (e.g., OWASP Top 10, SANS Top
25, OWASP Cheat Sheet series) across development teams.
o Integrate security automation in the CI/CD pipelines, leveraging tools for Static
Application Security Testing (SAST), Dynamic Application Security Testing
(DAST), and Software Composition Analysis (SCA).
o Depending on the area of work, perform evaluation and selection of the
components, design of hardware, software, process and service components of
the solution, assurance of deployment architectures, and guide secure
engineering practices in development.
• Cloud and Container Security:
o Determine application security capability requirements and strategy (e.g., open
source, Cloud Service Providers (CSP), Software as a Service
(SaaS)/Infrastructure as a Service (IaaS)/ Platform as a Service (PaaS)
environments)
o Able to assess cloud-native application architectures with a focus on security
o Design and implement security controls for cloud-native applications using
secure deployment frameworks such as Infrastructure as Code (IaC), ensuring
proper configuration of AWS, Azure, or GCP environments.
o Deep expertise either with AWS or Microsoft Azure security. Cloud security
compliance, cloud data security, cloud threat and incident management, WAF,
VPC Security controls, Security log management
o Design and develop security architectures for cloud and cloud/hybrid-based
systems.
o Exposure to Kubernetes, container security, network security, virtualization
• Identity and Access Management (IAM):
o Detailed technical knowledge of techniques, standards and for authentication /
authorization / identity-management (SSO/OAuth/OpenID/RBAC/ABAC etc)
o Ensure multi-factor authentication (MFA) and role-based access control
(RBAC) are applied to sensitive components and APIs.
• Third-Party and Supply Chain Security:
o Assess and secure the software supply chain by conducting third-party security
assessments on libraries, frameworks, and external services used in the
application ecosystem.
o Implement processes for verifying Software Bill of Materials (SBOM) and
ensure secure use of open-source components through regular security
patching and auditing.
Qualifications:
• Post graduate or Graduate in computer science, Information Security, or a related field.
• A minimum of 10+ years of experience in application security architecture and secure
software development.
• Knowledge of security standards such as OWASP Top 10 (Web, API, CI/CD), NIST CSF
2.0, NIST (SP800-218, SP800-37, SP800-53r5, SP800-161), ISO, SOC 2, GDPR, and PCI
DSS, CIS Controls.
• Relevant cybersecurity certifications such as CSSLP, CISSP, CCSP, or AWS Certified
Security - Specialty and other similar cloud security certifications are a plus.

Requirements

Key Responsibilities:

• API Security Design and Implementation:

o Design and implement secure API architectures by incorporating

authentication, authorization (OAuth 2.0, JWT, etc.), and encryption

mechanisms.

o Enforce API security best practices including rate limiting, input validation,

logging, and auditing.

o Secure external API integrations and manage API gateways for secure traffic

management.

o Thorough understanding of OWASP top 10 API Risks and OWASP REST API Cheat

sheet. Identify common proactive controls for applications (e.g., Open Web

Application Security Project (OWASP))

o Good understanding of OAuth2.0 & OIDC standards

o Expertise in designing security for APIs architecture styles (like REST, Webhooks,

WebSocket, GraphQL, gRPC, MQTT) and microservices architectures in cloudnative environments (AWS, Azure, GCP, OCI).

• Microservices Security Architecture:

o Architect and implement secure microservices that utilize containerization

(e.g., Docker) and orchestration (e.g., Kubernetes) with a focus on service-toservice authentication, service mesh security, and east-west traffic

protection.

o Apply Zero Trust principles to microservices, ensuring network segmentation,

secure communication (mTLS), and secret management (e.g., HashiCorp Vault).

• Threat Modeling and Risk Assessments:

o Perform threat modelling (e.g., STRIDE, PASTA) for critical applications to

identify vulnerabilities and recommend appropriate security controls.

o Conduct architectural risk assessments on new and existing systems to

identify and prioritize risks, integrating security by design.

o Utilize any static tools such as OWASP Threat Dragon or Microsoft Threat

Modeling Tool or any other automated Threat Modeling tools for systematic risk

analysis and mitigation strategies.

o Having clear understanding of risk factors, risk related concepts and risk

assessment.

• Secure Software Development:

o Champion Secure Development Lifecycles (SDLC), ensuring security is

embedded in every stage from design to deployment. Drive and maintain

security throughout the entire Software Development Life Cycle.

o Integrate Software Development Life Cycle (SDLC) with application security

architecture (e.g., Requirements Traceability Matrix (RTM), security architecture

documentation, secure coding)

o Define and enforce secure coding standards (e.g., OWASP Top 10, SANS Top

25, OWASP Cheat Sheet series) across development teams.

o Integrate security automation in the CI/CD pipelines, leveraging tools for Static

Application Security Testing (SAST), Dynamic Application Security Testing

(DAST), and Software Composition Analysis (SCA).

o Depending on the area of work, perform evaluation and selection of the

components, design of hardware, software, process and service components of

the solution, assurance of deployment architectures, and guide secure

engineering practices in development.

• Cloud and Container Security:

o Determine application security capability requirements and strategy (e.g., open

source, Cloud Service Providers (CSP), Software as a Service

(SaaS)/Infrastructure as a Service (IaaS)/ Platform as a Service (PaaS)

environments)

o Able to assess cloud-native application architectures with a focus on security

o Design and implement security controls for cloud-native applications using

secure deployment frameworks such as Infrastructure as Code (IaC), ensuring

proper configuration of AWS, Azure, or GCP environments.

o Deep expertise either with AWS or Microsoft Azure security. Cloud security

compliance, cloud data security, cloud threat and incident management, WAF,

VPC Security controls, Security log management

o Design and develop security architectures for cloud and cloud/hybrid-based

systems.

o Exposure to Kubernetes, container security, network security, virtualization

• Identity and Access Management (IAM):

o Detailed technical knowledge of techniques, standards and for authentication /

authorization / identity-management (SSO/OAuth/OpenID/RBAC/ABAC etc)

o Ensure multi-factor authentication (MFA) and role-based access control

(RBAC) are applied to sensitive components and APIs.

• Third-Party and Supply Chain Security:

o Assess and secure the software supply chain by conducting third-party security

assessments on libraries, frameworks, and external services used in the

application ecosystem.

o Implement processes for verifying Software Bill of Materials (SBOM) and

ensure secure use of open-source components through regular security

patching and auditing.

Qualifications:

• Post graduate or Graduate in computer science, Information Security, or a related field.

• A minimum of 10+ years of experience in application security architecture and secure

software development.

• Knowledge of security standards such as OWASP Top 10 (Web, API, CI/CD), NIST CSF

2.0, NIST (SP800-218, SP800-37, SP800-53r5, SP800-161), ISO, SOC 2, GDPR, and PCI

DSS, CIS Controls.

• Relevant cybersecurity certifications such as CSSLP, CISSP, CCSP, or AWS Certified

Security - Specialty and other similar cloud security certifications are a plus.

About the Company

Cigres Technologies Private Limited is a technology consulting and services company that focuses on helping clients resolve their significant digital problems and enabling radical digital transformation using multiple technologies on premise or in the cloud. The company was founded with the goal of leveraging cutting-edge technology to deliver innovative solutions to clients across various industries.

bottom of page