Security Engineer

We are looking for a hands-on Security Engineer to join our cross-project core team and take ownership of security across three products:

1. A Java-based platform with microfrontends running on Azure.

2. A web portal built with NestJS and React.

3. An AI portal built with NestJS and React, running on Azure and AWS (Bedrock, Lambda, Kendra).

You will work closely with our architecture team to prepare and maintain security plans, perform threat modelling, and execute security testing for applications, cloud infrastructure, SSO, and authorization services.

• Own application and infrastructure security across three projects:

  • Java microservices and microfrontends on Azure (Container Apps, Static Web Apps, databases).

  • Web portal based on NestJS and React.

  • AI portal on Azure and AWS (Bedrock, Lambda, Kendra).

• Prepare and refine security plans and threat models together with the architecture team.

• Perform security testing of Azure infrastructure:

  • Azure Container Apps, Static Web Apps, databases, networking, and related services.

  • Review Azure security posture (e.g., Defender for Cloud, logging, monitoring).

• Perform security testing of web applications:

  • Frontend (React / microfrontends) and backend services (Java, NestJS).

  • APIs, authentication and authorization flows, and integrations.

• Assess the security of AI services running on AWS:

  • Bedrock, Lambda functions, Kendra, and data flows between Azure and AWS.

  • Identify risks related to data exposure, prompt injection, access control, and logging.

• Review and harden SSO and authorization:

  • Analyze Keycloak (deployed on Azure) configuration, OIDC/OAuth2 flows, session management, and token handling.

  • Review roles and permissions implemented via OpenFGA; validate least-privilege, multi-tenant isolation, and access control rules.

• Analyze and validate existing threat models and the security plan; propose updates based on new findings.

• Identify security vulnerabilities and propose mitigation strategies with clear prioritization (risk, impact, effort).

• Use a combination of manual testing and automated tools to perform:

  • Web application security testing (OWASP Top 10, API security).

  • Infrastructure and configuration security assessments.

• Provide clear, structured security testing reports with:

  • Findings, risk rating, business impact.

  • Recommended remediation steps and follow-up actions.

• Collaborate with architecture, development, and DevOps teams to ensure fixes are properly implemented and verified.

• Proven experience in security testing of cloud environments, preferably Azure (infrastructure, PaaS services, networking, identity).

• Experience in web application security testing, including strong practical knowledge of:

  • OWASP Top 10, API security, and common web vulnerabilities.

  • Authentication and authorization patterns (OAuth2, OIDC, JWT).

• Experience with security testing tools, such as:

  • OWASP ZAP, Burp Suite, or similar DAST tools.

  • SAST / dependency scanning / code quality tools (e.g., SonarQube).

  • Cloud security posture tools (e.g., Azure Security Center / Defender for Cloud).

• Good understanding of:

  • Network security (firewalls, segmentation, VPNs, secure connectivity).

  • Application security (secure coding principles, input validation, session management).

  • Cloud security best practices (identity, secrets management, logging, monitoring).

• Ability to document findings clearly and propose actionable improvements for technical and non-technical stakeholders.

• Ability to read and reason about code and APIs in at least some of the stack:

  • Java, TypeScript/JavaScript (NestJS, React).

• Experience working in close collaboration with architecture and engineering teams.

• Experience with Azure security services:

  • Defender for Cloud, Key Vault, Azure Firewall, Application Gateway / WAF, Azure Front Door.

• Experience with AWS security concepts and services, especially in the context of:

  • Lambda, IAM, Bedrock, Kendra, and secure data flows between clouds.

• Hands-on experience with:

  • Automated security scanning in CI/CD pipelines.

  • Infrastructure-as-code security (Terraform, Bicep, or similar).

• Experience securing SSO solutions:

  • Keycloak, OIDC/OAuth2, and federation scenarios.

• Understanding or experience with authorization frameworks:

  • Policy-based access control (e.g., OpenFGA, Open Policy Agent).

• Security-related certifications (e.g., AZ-500, SC-200, AWS Security Specialty, OSCP, CEH, CISSP, CCSP) are a plus.