Cashfree is a leading payments and API banking solutions company. We provide full-stack payments solutions enabling businesses in India to collect payments and make payouts via all available methods with a simple integration. Cashfree’s offerings include an advanced and easy way to integrate payment gateway, a split payment solution for marketplaces, bank account verification API and Auto Collect -- a virtual account solution to match inbound payments to customers. Founded by IIIT Hyderabad alumnus Akash Sinha and IIT Kharagpur graduate Reeju Datta, www.cashfree.com is among the leading payment service providers in India processing transactions worth USD 80 Billion annually. We have leveraged technology to lead payment disbursals in India with more than 50% market share among payment processors. Cashfree enables more than 8,00,000 businesses with payment collections, vendor payouts, wage payouts, bulk refunds, expense reimbursements, loyalty and rewards. Apart from India, Cashfree’s products are used in eight other countries including USA, Canada and UAE. Cashfree is backed by Silicon Valley investor Y Combinator, Apis Partners, State Bank of India (SBI) and was incubated by PayPal. Cashfree is currently used by over 800,000 businesses for vendor payouts, wage payouts, build refunds, expense reimbursements, loyalty, and rewards. Some of its notable customers include Dunzo, Xiaomi, Tencent, Delhivery, Zomato, Cred, Club Factory, and ExxonMobil.

Job Description

Function:
• Application Security
• Information Security
• Vulnerability Assessment
• Cloud Security
• Product Security

Responsibilities:
• Work with stakeholders to define and own Security road map for one or more business areas and build the Security processes from scratch.
• Provide technical and scientific leadership to the team
• Roll up your sleeves and do hands-on work.
• Build, coach, mentor, and grow the team
• Be at the forefront of emerging vulnerabilities/threats which could affect Cashfree products through independent research and study.
• Examine the products in detail to discover vulnerabilities and collaborate with the other security engineers to practically demonstrate the exploitability and risk factors.
• Engage with the developers in developing workarounds/mitigation plans and ensure they are implemented per policy.
• Engage with the development teams to conduct secure design reviews/threat modeling exercises to enumerate threats and mitigation strategies.
• Enable the developers with knowledge of threat modeling by conducting focused workshops.
• Secure Coding: Priorities critical defects and ensure these are identified and mitigated during the sprint.
• Integration and automation of SAST in the DevOps pipeline.
• Build secure coding principles and propagate them across the development community.
• Be the to-go person for developers in solving critical issues relating to secure product development.
• Build and enhance secure coding/security assessment training content for developers and the QA team.
• Deliver training programs at various levels in the organizations.
• Conduct workshops/security tech talks to disseminate security knowledge and awareness.
• Conduct white-box and grey-box offensive penetration testing against applications, front-end and back-end micro-services, and web services.
• Conduct network infrastructure, Public Cloud (AWS and GCP), and data-layer offensive pen testing.
• Perform manual source code reviews and audits (manual and SCA/SAST code audits) as needed.
• Perform any other application security or product security-related activities or tasks as needed or directed.
• Validate 3rd party external pen-test and crowd-sourced application security findings and work with our engineering teams.

Qualifications:
• B. S. in Computer Science, Electrical, or Computer Engineering, or equivalent work experience as a software engineering or security practitioner.
• 10 years of relevant engineering or security assessment experience, experience in application security.
• Possess a broad knowledge of attack vectors, exploits, and mitigations that work at scale or may be linked together for chained attacks.
• Experience with Java, Go, Python, or Node.js (bonus points for more than one).
• Experience with assessing Cloud-native services, service meshes, and K notes-platform-based micro-services.
• Be able to apply unconventional thinking and problem-solve on the boundary of your knowledge base, learning new technologies or languages as needed to complete pen-test tasks.
• Be able to think both offensively (like a hacker) and defensively (evaluating product security and design).
• Familiarity with industry-standard threat modeling, risk modeling, and vulnerability classification.
• Experience with pre-assessment architectural and API analysis to the scope and preparing white-box and grey-box assessments.
• Experience working with in-house engineering organizations, S-SDLC/CICD software lifecycle, and QA processes.
• Good knowledge of multiple classes of vulnerabilities that includes cross-site scripting, SQL Injection, CSRF, cryptographic-related weakness, and code injection.
• Good knowledge of any programming/scripting languages such as Java, Ruby, and Python.
• Good knowledge relating to services/technology relating to the cloud.
• Ability to automate security testing and improve productivity in security assessments.
• Ability to communicate and interpret security vulnerabilities to various audiences such as development and management teams.