Application Security Analyst Lead

Who we are

NTT DATA is one of the world's largest global security service providers, partnering with some of the most recognized security technology brands. We're looking for passionate, curious, and motivated individuals to join our team.

What you’ll be doing

• Conduct security assessments for web apps, APIs, and mobile apps under limited supervision.
• Perform OWASP Top 10 and advanced penetration testing (authenticated/unauthenticated).
• Assess API security (REST, GraphQL, SOAP) and test auth, session management, and access controls.
• Identify business logic flaws and exploit vulnerabilities.
• Perform manual/automated secure code reviews across multiple languages.
• Identify vulnerabilities (injection, XSS, insecure dependencies) and review architecture for weaknesses.
• Analyze third-party libraries, cryptographic implementations, and secure data handling.
• Provide actionable remediation guidance and secure coding recommendations.
• Assess iOS/Android apps, including reverse engineering and binary analysis.
• Test data storage, transmission, backend APIs, and mobile authentication mechanisms.
• Evaluate permissions, intents, IPC, and mobile-specific vulnerabilities (e.g., insecure storage).
• Integrate security testing into CI/CD pipelines and DevOps workflows.
• Configure and optimize SAST, DAST, and SCA tools; develop automation scripts.
• Implement security gates, reusable test cases, and support shift-left security initiatives.
• Analyze findings, determine risk severity, and produce detailed reports with remediation guidance.
• Validate fixes post-remediation, track findings to closure, and maintain vulnerability metrics.
• Present results to development teams and management.
• Review application designs for weaknesses against OWASP ASVS and security standards.
• Evaluate authentication/authorization models, data flows, and threat models.
• Support secure design workshops and threat modeling sessions.

What you'll bring along

• Bachelor's degree in Computer Science, Software Engineering, Cybersecurity, or related field
• Minimum 5–10 years of experience in cybersecurity or IT security roles.
• Strong knowledge of OWASP Top 10, OWASP ASVS, and web application security principles
• Solid experience with web application penetration testing tools and methodologies
• Proficiency in identifying and exploiting common application vulnerabilities
• Understanding of API security testing for REST, GraphQL, SOAP, and microservices
• Knowledge of mobile application security testing for iOS and Android platforms
• Programming languages: Java, .NET (C#), Python, JavaScript, TypeScript, PHP
• Web frameworks: Spring, Django, Flask, Express.js, React, Angular, Vue.js
• Mobile development: Swift, Kotlin, React Native, Flutter basics
• Scripting: Python, Bash, PowerShell for security automation
• Database security: SQL injection, NoSQL security, ORM security issues
• Web testing: Burp Suite Professional, OWASP ZAP, Postman, SQLMap
• Code analysis: SonarQube, Checkmarx, Fortify, Veracode, Semgrep
• Mobile testing: MobSF, Frida, Objection, APKTool, iOS security tools
• Dependency scanning: OWASP Dependency-Check, Snyk, WhiteSource
• Automation: Selenium, Jenkins, GitLab CI/CD, custom Python scripts
• Deep understanding of OWASP Testing Guide and Application Security Verification Standard
• Knowledge of PCI DSS application security requirements
• Familiarity with secure SDLC practices and DevSecOps principles
• Understanding of threat modeling methodologies (STRIDE, PASTA, LINDDUN)
• Awareness of privacy-by-design and secure coding standards
• Clear technical communication with developers and non-technical stakeholders
• Ability to explain complex vulnerabilities and provide practical remediation guidance
• Collaboration skills for working with development, DevOps, and product teams
• Analytical thinking and creative approach to finding security weaknesses
• Patience and persistence in thorough security testing activities
• OSCP (Offensive Security Certified Professional) or CEH (Certified Ethical Hacker) - Mandatory
• GWAPT (GIAC Web Application Penetration Tester) or equivalent web app security cert - Preferred
• Burp Suite Certified Practitioner 
• Programming or development certification 
• Excellent command of both spoken and written English.