- 8+ years of experience in application security with focus on authentication and authorization.

- Deep understanding of authentication mechanisms (username/password, MFA, biometric, SSO).

- Expert knowledge of authentication protocols (OAuth 2.0, OpenID Connect, SAML, JWT).

- Strong expertise in authorization patterns (RBAC, ABAC, ReBAC, PBAC).

- Understanding of federation and identity management concepts.

- Knowledge of password less authentication approaches.

Session Management Expertise :

- In-depth knowledge of session management best practices.

- Understanding of session storage mechanisms (server-side, client-side, distributed).

- Knowledge of session security controls (timeouts, rotation, invalidation).

- Expertise in identifying session-related vulnerabilities (fixation, hijacking, prediction).

- Understanding of token-based session management.

- Knowledge of cookie security attributes and configurations.

Data Flow Security :

- Ability to analyze application data flow diagrams.

- Understanding of data classification and sensitive data handling.

- Knowledge of data protection mechanisms (encryption in transit and at rest).

- Expertise in identifying data exposure risks in application flows.

- Understanding of input validation and output encoding requirements.

- Knowledge of secure data transmission patterns.

Technical Knowledge :

- Strong understanding of web application architectures.

- Knowledge of API security patterns (REST, GraphQL).

- Understanding of mobile application authentication flows.

- Familiarity with microservices authentication and authorization.

- Basic knowledge of cryptography and secure token generation.

- Understanding of common authentication vulnerabilities (OWASP Top 10).

Threat Modeling :

- Experience with threat modeling methodologies (STRIDE preferred).

- Ability to identify authentication and authorization threats.

- Knowledge of attack patterns for broken authentication and access control.

- Understanding of OWASP ASVS Chapter 2 (Authentication) and Chapter 4 (Access Control).

Preferred Qualifications :

- Security certifications focused on application security.

- Experience with identity and access management (IAM) solutions.

- Knowledge of standards like NIST 800-63 (Digital Identity Guidelines).

- Understanding of privacy requirements related to authentication.

- Experience with single sign-on (SSO) implementations.

- Familiarity with zero-trust authentication principles.

Educational Qualifications :

- Bachelor's or Master's degree in Computer Science, Information Security, or related field.

- Equivalent work experience will be considered.

Key Competencies

- Deep analytical skills for reviewing authentication and authorization flows.

- Strong understanding of session security principles.

- Ability to trace and validate data flows.

- Excellent communication skills to explain security findings.

- Collaborative approach with development teams.

- Detail-oriented with focus on access control logic.

- Problem-solving mindset for authentication design challenges.

Scope Limitations :

This role specifically focuses on :

- Authentication mechanisms and flows.

- Authorization and access control designs.

- Session management configurations.

- Application data flow security.

Department :

- SIE Product Security.

Open Positions :

Skills Required :

- OWASP Top 10 , Information Security, Threat Modeling, Web Application Architecture, Mobile Application Security.

Role :

Key Responsibilities :

Application Security Design Review :

- Conduct security design reviews focused on authentication and authorization mechanisms.

- Analyze session management architecture and identify security weaknesses.

- Review data flow diagrams to ensure secure handling of sensitive data.

- Evaluate application design documents for security gaps in auth flows.

- Assess login flows, user registration, password management, and account recovery designs.

- Review API authentication and authorization designs.

- Analyze token management and JWT implementation approaches.

Threat Modeling (Focused Scope) :

- Lead threat modeling sessions specifically for authentication and authorization flows.

- Identify threats related to session hijacking, session fixation, and session management.

- Analyze data exposure risks in application data flows.

- Assess privilege escalation risks in authorization designs.

- Document attack scenarios for authentication bypass and broken access control.

Security Requirements Definition :

- Define security requirements for authentication mechanisms.

- Specify authorization controls and access control requirements.

- Establish session management security requirements.

- Document data protection requirements for sensitive data flows.

- Ensure compliance with OWASP ASVS requirements for authentication and session management.

Collaboration & Guidance :

- Work with development teams to review authentication and authorization designs.

- Provide guidance on secure session management patterns.

- Advise on secure data flow implementation approaches.

- Review and validate remediation approaches for identified design flaws.

- Facilitate design review sessions with architects and developers.

Documentation & Reporting :

- Create security design review reports with findings and recommendations.

- Document threat models for authentication and authorization flows.

- Track and verify closure of identified design issues.

- Maintain secure design patterns for authentication, authorization, and session management.

Location :

- Bengaluru.

Education/Qualification :

- Bachelor's or Master's degree in Computer Science, Information Security, or related field.

Years Of Exp :

- 8 to 10 years.

Designation :

- Secure Design Review Analyst.