Senior Application & Infrastructure Security Engineer

About The Position

Requirements

• 8+ years of hands-on experience in application, infrastructure, and web security
• Deep expertise in OWASP Top 10 vulnerabilities: SQLi, XSS, CSRF, IDOR, RCE, SSRF, and clickjacking
• Proven experience with DDoS attack detection, mitigation, and post-incident analysis
• Strong command of Cloudflare — WAF rules, Bot Management, Turnstile, Rate Limiting, Transform Rules, and Firewall Events analysis
• Hands-on AWS security experience: IAM policies, Security Groups, VPC design, API Gateway throttling, WAFv2, Shield, GuardDuty, and CloudTrail
• Deep understanding of API security: authentication flows (OAuth2, JWT, OTP abuse), rate limiting and endpoint hardening
• Experience securing frontend applications against XSS, CSP bypass, clickjacking, and third-party script risks
• Backend security expertise: input validation, secure coding practices, secrets management, SQL injection prevention
• Proficiency with penetration testing tools: Burp Suite, OWASP ZAP, Nmap, Metasploit, Nikto
• Experience conducting and managing vulnerability assessments, threat modelling, and security audits
• Solid understanding of TLS/SSL, HTTP security headers (HSTS, CSP, X-Frame-Options), certificate management
• Experience with SIEM platforms, log aggregation, alert tuning, and incident response
• Knowledge of bot mitigation strategies — JA3/JA4 fingerprinting, bot scoring, heuristic vs ML detection
• Familiarity with compliance frameworks: ISO 27001, SOC 2, PCI-DSS, or GDPR
• Strong written and verbal communication skills — able to produce security reports and brief non- technical stakeholders
• Hands-on experience integrating security testing into CI/CD pipelines: SAST, DAST, SCA, and secrets scanning as automated gates

Responsibilities

• Own and drive the end-to-end security posture of all web, API, and infrastructure surfaces
• Identify, assess, and remediate vulnerabilities across frontend (web + Electron), backend services, and cloud infrastructure
• Design and enforce security controls at the Cloudflare edge — WAF policies, bot mitigation rules Turnstile integrations, and rate limiting strategies
• Harden AWS environments: API Gateway, EC2, Lambda, S3, RDS, and supporting services in line with least-privilege and zero-trust principles
• Lead threat modelling sessions for new product features and flag security gaps before they reach production
• Monitor, investigate, and respond to security incidents — from Cloudflare firewall events and WAF alerts to SIEM-detected anomalies
• Conduct regular penetration testing and vulnerability assessments; triage and prioritise findings by business impact
• Define and enforce HTTP security header policies (CSP, HSTS, X-Frame-Options, Referrer-Policy) across all domains
• Build and maintain a DDoS response playbook; lead active mitigation during volumetric and application-layer attacks
• Partner with engineering teams to embed secure coding practices and participate in code reviews for security-sensitive changes
• Manage the responsible disclosure and bug bounty programme; triage external researcher reports
• Produce clear security reports, risk registers, and executive briefings; track remediation SLAs
• Stay current on emerging attack vectors, CVEs, and threat landscape changes relevant to online gaming and fintech platforms