Talent.com
This job offer is not available in your country.
Hotfoot - Product Security Lead

Hotfoot - Product Security Lead

HOTFOOT TECHNOLOGY SOLUTIONS PRIVATE LIMITEDChennai
26 days ago
Job description

Location : Chennai (HQ) Onsite.

Function : Product Security.

Experience : 7 - 12 years (incl. 2+ years in a lead / ownership role).

About the role :

Were looking for an Product Security Lead to embed security into our SDLC and own end-to-end VAPT remediation across our lending product suite (LOS / LMS, rules engine, analytics).

Youll partner with engineering and platform teams to design, build, and operate secure-by-default products used by leading financial institutions.

What youll do :

  • Own the Secure SDLC for microservices (Java / Spring Boot), Node / TypeScript backends,

Angular UIs, and Android / Flutter apps - policy, standards, and release gates.

  • Build and run CI / CD security controls : SAST, SCA / SBOM, secrets & IaC checks, container / image scanning; automate DAST / IAST in pipelines; enforce block-on-fail where needed.
  • Drive VAPT end-to-end : Scope with internal / third-party testers, triage findings, set SLAs, track remediation to closure; verify fixes and prevent regressions.
  • Threat model & review designs / code for authN / Z, crypto, session management, API security, data protection / PII, and high-risk modules (payments, onboarding, documents).
  • Cloud & platform security (AWS) : baselines for EC2 / ALB, RDS / KMS, S3 policies, network segmentation, mTLS / JWT service auth, Vault-backed secrets, and key rotation.
  • Observability & governance : wire security logs to SIEM, define AppSec KPIs (MTTR, SLA

    • adherence, gate coverage), and report risk posture to engineering leadership.

  • Upskill teams : run secure coding workshops, build a security champions program, create

    • playbooks / runbooks for common vulns and abuse cases.

    What youll bring :

  • 7 - 12 years in Application / Product Security, including leading Secure SDLC and VAPT remediation in a product engineering environment.
  • Hands-on with SAST / SCA / DAST / IAST, code reviews, and threat modeling (e.g., STRIDE); ability to read code in Java / Spring, Node / TypeScript, and Angular.
  • Prior experience in integrating security checks and gating critera with CI platform like SonarQube.
  • Strong grasp of OWASP Top 10, API Security Top 10, ASVS, CWE, secrets management, and

    • CI / CD hardening.

  • AWS security experience : IAM, KMS, RDS encryption, SG / WAF, CloudTrail / GuardDuty;

    • familiarity with Docker / Kubernetes and IaC Experience running vendor / 3rd-party VAPT cycles and landing fixes to SLA with engineering teams.

  • Awareness of compliance contexts (ISO 27001 / SOC 2, RBI guidance, DPDP Act) and secure handling of PII / financial data.
  • Nice to have : mobile app security (OWASP MASVS), OAuth2 / OIDC, mTLS, WebAuthn / modern auth patterns; Kafka, Redis, NGINX, Consul, Vault.
  • Certifications (optional, a plus) : OSWE / OSCP, GWAPT / GWEB, CSSLP.

    • What success looks like (first 6 months) :

  • 95% of Critical / High findings closed within SLA across services.
  • All repos behind security gates with SBOMs published; zero hard-coded secrets; baseline threat models for top services.
  • Repeatable VAPT remediation verification loop with dashboards visible to leadership.

    • Why join us :

  • Build security for mission-critical fintech products at scale.
  • High ownership, direct impact, and the chance to set the bar for product security across our stack.
  • Collaborative culture with strong engineering, rapid delivery, and growth opportunities.

    • (ref : hirist.tech)

    Create a job alert for this search

    Product Lead • Chennai