Senior SecOps & AppSec Lead - Noida

Senior SecOps & AppSec Lead - Noida Own AppSec & SecOps end‑to‑end—from code to production. Lead security scans, fix real vulnerabilities, upgrade libraries, embed security into CI/CD, and mentor a lean SecOps team. Apply Department Engineering Reports To Director Engineering Team Size 1–2 Direct Reports Scope - AppSec + DevSecOps Role Overview We are looking for a Sr. SecOps & AppSec Lead to own and drive security operations across the entire product lifecycle — from code commit through build, deployment, and production. You will manage our security scanning pipeline (Veracode, SonarQube, Trivy), identify and remediate vulnerabilities in application code and open-source dependencies, upgrade libraries to eliminate known CVEs, and work hands-on to fix application security issues alongside development teams. This role blends application security engineering with DevOps pipeline management. You will not just report vulnerabilities — you will reproduce them, assess their real-world exploitability in our context, and either fix them yourself or guide developers through remediation. You will also own CI/CD pipeline health, ensuring security gates are embedded into every build without becoming a bottleneck. Additionally, you will lead 1–2 junior engineers, building a small but effective security operations practice. Key Responsibilities Security Scanning & Pipeline Management • Own and manage the end-to-end security scanning pipeline: SAST (Veracode, SonarQube), SCA (Veracode SCA / Snyk / OWASP Dependency-Check), and container image scanning (Trivy) • Configure, tune, and maintain scanning policies — reduce false positives, set severity thresholds, and define quality gates that block vulnerable builds from promotion • Integrate security scans seamlessly into CI/CD pipelines (Git runner/GitLab CI) so that every pull request and release build is automatically validated without slowing developer velocity • Maintain dashboards and reporting on vulnerability trends, scan coverage, mean-time-to-remediate (MTTR), and open risk posture across the product portfolio • Evaluate and onboard new security tools as the threat landscape and technology stack evolve Vulnerability Identification, Reproduction & Remediation • Triage vulnerability findings from SAST/SCA/container scans — assess real-world exploitability in the context of the our platform, not just CVSS scores • Reproduce open-source and third-party library vulnerabilities in controlled environments to validate their impact and determine whether the vulnerable code path is actually reachable in our product • Hands-on fix application security issues: SQL injection, XSS, CSRF, insecure deserialization, broken authentication, SSRF, path traversal, and other OWASP Top 10 vulnerabilities in the application codebase • Plan and execute library upgrades to remediate known CVEs in open-source dependencies — assess compatibility impact, coordinate with development teams, and validate that upgrades do not introduce regressions • Manage a vulnerability backlog with clear prioritization (critical/high exploitable vs. low-risk theoretical), SLA tracking, and regular reporting to engineering leadership Application Security Engineering • Conduct security code reviews for high-risk features: authentication/authorization flows, API security, data encryption, secrets management, and inter-module communication (API/MQ) • Define and enforce secure coding standards and guidelines for the development teams, covering input validation, output encoding, parameterized queries, secure session management, and cryptographic practices • Perform or coordinate DAST (Dynamic Application Security Testing) and periodic penetration testing, managing findings through to closure • Review and harden Kubernetes deployment configurations: pod security policies/standards, network policies, RBAC, secrets management (Vault/Sealed Secrets), and container runtime security • Ensure secure handling of sensitive financial data in transit and at rest, aligned with client security requirements and regulatory expectations CI/CD Pipeline Ownership & DevOps • Co-own CI/CD pipeline infrastructure (Git runner/GitLab CI): build pipeline optimization, artifact management, deployment automation, and environment provisioning • Implement and maintain infrastructure-as-code for security tooling (Terraform/Helm charts for scanning infrastructure, policy-as-code for compliance checks) • Manage Docker image lifecycle: base image hardening, image scanning in registries, tag governance, and ensuring minimal-footprint production images • Automate security compliance checks: license scanning for open-source dependencies, secrets detection in code repositories (GitLeaks/TruffleHog), and configuration drift detection • Support deployment pipelines for Kubernetes environments: Helm chart security, admission controllers, and runtime protection integration Compliance, Audit & Governance • Support compliance efforts (SOC 2, ISO 27001, or client-specific security assessments) by providing evidence of security controls, scan reports, and remediation records • Coordinate with external penetration testing firms: scope definition, environment preparation, finding triage, and remediation tracking • Maintain security documentation: threat models, security architecture diagrams, incident response runbooks, and vulnerability management procedures • Produce regular security posture reports for engineering leadership and client-facing teams, translating technical findings into business risk language Team Leadership & Security Culture • Lead, mentor, and develop 1–2 junior SecOps/AppSec engineers, establishing workflows, review processes, and growth paths • Drive a security-aware culture across engineering: conduct threat modeling workshops, secure coding training sessions, and brown-bag presentations on real-world vulnerabilities • Create and maintain internal security knowledge base: remediation playbooks, common vulnerability patterns in the codebase, and library upgrade guides Required Qualifications • 5–8 years of hands-on experience in application security, SecOps, or DevSecOps for enterprise software products • Strong experience with SAST tools (Veracode and/or SonarQube): policy configuration, scan management, false positive tuning, and developer-facing remediation guidance • Hands-on experience with SCA (Software Composition Analysis): identifying vulnerable open-source libraries, assessing exploitability, planning and executing library upgrades across large codebases • Experience with container security scanning (Trivy, Aqua, or Prisma Cloud) and Docker image hardening best practices • Proven ability to reproduce and fix application-level vulnerabilities (OWASP Top 10) in production codebases — not just scan and report, but actively remediate • Strong CI/CD pipeline experience (Jenkins or GitLab CI): building, maintaining, and optimizing build/deploy pipelines with integrated security gates • Working knowledge of Kubernetes security: pod security standards, RBAC, network policies, secrets management, and admission controllers • Proficiency in at least one application language used in the product stack (Java, Python, JavaScript/TypeScript, or Go) to conduct code reviews and fix vulnerabilities • Experience producing compliance evidence and supporting security audits (SOC 2, ISO 27001, or client security questionnaires) • Strong communication skills: ability to explain vulnerabilities and risk to both developers and non-technical stakeholders Preferred Qualifications • Experience securing financial services / fintech platforms, particularly systems handling sensitive client data in regulated environments • Familiarity with DAST tools (OWASP ZAP, Burp Suite) and manual penetration testing techniques • Knowledge of infrastructure-as-code security scanning (Checkov, tfsec for Terraform templates) • Experience with cloud security posture management on AWS and/or Azure (GuardDuty, Security Hub, Defender for Cloud) • Certifications: CEH, OSCP, CISSP, AWS Security Specialty, or CKS (Certified Kubernetes Security Specialist) • Experience building security champions programs to embed security awareness within development teams Department Development Role DevSecOps Locations Noida Remote status Hybrid About NeoXam NeoXam is a leading financial software company, delivering solutions and services for 175+ customers in 25 countries worldwide. NeoXam is committed to its clients’ success: we deliver reliable and scalable solutions, processing more than €25 trillion worth of assets per day and serving over 10,000 users. Through its combined talents and transparent approach, NeoXam helps buy- and sell-side players address the continuous changes in the financial market industry, to grow and better serve their clients. NeoXam relies on 8 00 + staff, is headquartered in Paris and has 20 offices across the globe. Founded in 2014 Co-workers 800