H&R Block India (P) Ltd

211 N – 211 S, 11th Floor, Yamuna Building, Technopark Phase III, Kulathoor PO, Thiruvananthapuram , 695583

http://www.hrblock.com

Security Engineer (Required Skills - Application Security & OWASP)

Closing Date:30,June 2026

Job Published: 22,May 2026

Contact Email: anu.vishnu@hrblock.com

Brief Description

Responsibilities:

SDLC Integration and AppSec Tooling

• Support the day-to-day operation of application security tooling across SAST, DAST, SCA (software composition analysis), secrets detection, and container image scanning.

• Help onboard new applications and repositories into AppSec tooling; configure scan policies and validate that pipelines are correctly instrumented.

• Assist with tuning of detection rules and policies to reduce false positives and improve signal quality for engineering teams.

• Maintain documentation, runbooks, and quick-reference guides for AppSec tooling and processes.

Findings Triage and Vulnerability Management

• Triage findings from AppSec tooling — validate, prioritize by risk and exploitability, deduplicate, and route to the appropriate engineering owners.

• Perform false positive validation on tooling findings — review code context, data flow, and exploitability conditions to confirm whether reported issues are genuine; document rationale for any findings marked as false positive or suppressed.

• Feed false positive patterns and suppression decisions back into tooling configuration, custom rules, and triage playbooks to continuously improve scan quality and reduce developer noise.

• Track open vulnerabilities through to closure; follow up with developer teams on aging findings and SLA adherence.

• Produce regular metrics and reporting on AppSec tooling coverage, finding volumes, false positive rates, mean-time-to-remediate, and trends; flag emerging risk patterns.

• Support coordination of remediation for high-impact open-source and supply-chain vulnerabilities (e.g., critical CVEs in widely used libraries).

Secure Code Review and Developer Enablement

• Participate in secure code reviews for new and changing applications under the guidance of senior architects, focusing on OWASP Top 10 and similar common weakness categories.

• Partner with developers to explain findings, recommend fixes, and answer "how should I do this securely?" questions — acting as an accessible first point of contact for AppSec.

• Contribute to secure coding guidelines, developer-facing checklists, and language- or framework-specific guidance documents.

• Support delivery of developer security awareness and training content (e.g., lunch-and-learns, secure coding labs, onboarding modules).

Collaboration and Communication

• Partner with engineering, platform, DevOps, and operations teams across global locations to support AppSec initiatives.

• Communicate findings, risks, and recommendations clearly and constructively to developers and engineering managers.

• Produce clear, audit-friendly documentation of triage decisions, exceptions, and remediation tracking.

• Continuously develop technical skills through structured mentorship, hands-on practice, and self-directed learning.

Qualifications

Required

• 2 - 3.5 years of experience in application security, software development, security engineering, or a closely related technical role (internships, co-ops, capstone projects, and CTF participation count).

• Bachelor’s degree in Computer Science, Information Security, Software Engineering, or a related field.

• Working knowledge of common application vulnerability classes (OWASP Top 10) and a foundational understanding of how they manifest in modern web and API applications.

• Reading-level proficiency in at least one mainstream programming language (e.g., Python, Java, C#, JavaScript/TypeScript, or Go) sufficient to follow code, understand control/data flow, and discuss findings credibly with developers.

• Familiarity with version control (Git), code review workflows, and CI/CD pipeline concepts.

• Foundational understanding of authentication, authorization, encryption, and input validation concepts.

• Strong analytical and problem-solving skills, with attention to detail and willingness to dig into technical evidence.

• Effective written and verbal communication skills; ability to explain technical issues to both technical and non-technical audiences.

• Demonstrated curiosity and self-driven learning — the role expects rapid growth in AppSec depth over the first 12–18 months.

Preferred Skills

Preferred:

• Hands-on exposure to AppSec tooling categories (SAST, DAST, SCA, secrets detection, container scanning) through coursework, internships, labs, or personal projects.

• Familiarity with threat modeling methodologies (e.g., STRIDE) and frameworks such as OWASP ASVS, OWASP SAMM, or NIST SSDF.

• Exposure to cloud-native development and security concepts (containers, Kubernetes, serverless, IaC).

• Awareness of AI/ML application security considerations, including risks associated with AI-assisted development practices.

• Participation in CTFs, bug bounty programs, security research, or open-source security contributions.

• Industry certifications such as Security+, GIAC GFACT/GSEC, or similar entry-level certifications (or active progress toward them).

• Experience working in regulated industries (financial services, insurance, healthcare).