Hotfoot - Product Security Lead

Location : Chennai (HQ) Onsite.

Function : Product Security.

Experience : 7 - 12 years (incl. 2+ years in a lead/ownership role).

About the role :

Angular UIs, and Android/Flutter apps - policy, standards, and release gates.

- Build and run CI/CD security controls : SAST, SCA/SBOM, secrets & IaC checks, container/image scanning; automate DAST/IAST in pipelines; enforce block-on-fail where needed.

- Drive VAPT end-to-end : Scope with internal/third-party testers, triage findings, set SLAs, track remediation to closure; verify fixes and prevent regressions.

- Threat model & review designs/code for authN/Z, crypto, session management, API security, data protection/PII, and high-risk modules (payments, onboarding, documents).

- Cloud & platform security (AWS) : baselines for EC2/ALB, RDS/KMS, S3 policies, network segmentation, mTLS/JWT service auth, Vault-backed secrets, and key rotation.

- Observability & governance : wire security logs to SIEM, define AppSec KPIs (MTTR, SLA

adherence, gate coverage), and report risk posture to engineering leadership.

- Upskill teams : run secure coding workshops, build a security champions program, create

playbooks/runbooks for common vulns and abuse cases.

What youll bring :

- 7 - 12 years in Application/Product Security, including leading Secure SDLC and VAPT remediation in a product engineering environment.

- Prior experience in integrating security checks and gating critera with CI platform like SonarQube.

- Strong grasp of OWASP Top 10, API Security Top 10, ASVS, CWE, secrets management, and

CI/CD hardening.

- AWS security experience : IAM, KMS, RDS encryption, SG/WAF, CloudTrail/GuardDuty;

familiarity with Docker/Kubernetes and IaC (Terraform/CloudFormation).

- Experience running vendor/3rd-party VAPT cycles and landing fixes to SLA with engineering teams.

- Awareness of compliance contexts (ISO 27001/SOC 2, RBI guidance, DPDP Act) and secure handling of PII/financial data.

- Nice to have : mobile app security (OWASP MASVS), OAuth2/OIDC, mTLS, WebAuthn/modern auth patterns; Kafka, Redis, NGINX, Consul, Vault.

- Certifications (optional, a plus) : OSWE/OSCP, GWAPT/GWEB, CSSLP.

What success looks like (first 6 months) :

- 95% of Critical/High findings closed within SLA across services.

- All repos behind security gates with SBOMs published; zero hard-coded secrets; baseline threat models for top services.

- Repeatable VAPT remediation verification loop with dashboards visible to leadership.

Why join us :

- High ownership, direct impact, and the chance to set the bar for product security across our stack.

- Collaborative culture with strong engineering, rapid delivery, and growth opportunities.