Security Consultant

Cloud Agnostic Reviews – Familiarity with major cloud providers such as Microsoft, Amazon, Google, and Oracle. Understanding the security principles for cloud security and experience in performing security reviews in multiple cloud platforms and technologies such as Azure functions / Lamda functions, storage reviews, cloud cryptographic key reviews, virtual machine reviews, access control policy reviews, and virtual desktop review.

Organization Unit Purpose

Our Client Security Assessment team is responsible for evaluating all production-bound deployments to ensure they meet the organization's security standards. The team plays a critical role in identifying vulnerabilities, assessing risks, and enforcing security controls across applications, infrastructure, and services. By working closely with development and operations teams, the Security Assessment team ensures that security is integrated into every stage of the deployment lifecycle.

Technical Requirements

Application Security Assessment

• Web Application Security – OWASP top ten, Advance Web Attack exploitation, Attack chaining, Vulnerability Scoring, etc.
• Security Code Review – Automated and manual source code review.
• API Security Review – Deep understanding of OAuth 2.0 standards, SAML / SSO / OAuth based attacks, JWT based attacks, OWASP API Top 10, etc.
• Data Security – Should be able to understand the implications of multiple international regulations and standards on the data security of the application and if the application is compliant with different regulations and standards such as PDPL, GDPR, CBUAE, CBE, RBI, PCI-DSS, ISO 27001, etc.
• Configuration Review – Should have performed different configuration reviews and should have found good misconfigurations in the system.
• Integration review – How the application connects with different systems, performed security review on those integrations.
• Transport Layer Security – How communication channels are secured and understanding of the Transport layer security mechanisms and controls.

Mobile Application Security Assessment

• Mobile Application Security – Deep knowledge of OWASP Mobile Top 10, advanced mobile attack exploitation techniques, reverse engineering, attack chaining across app–API–backend, and vulnerability scoring.
• Mobile Code Review – Automated and manual source code review for mobile platforms (Java/Kotlin for Android, Swift/Objective-C for iOS, hybrid frameworks like React Native/Flutter), detection of insecure coding practices, and cryptographic misuse
• API & Backend Security Review – Proficiency in OAuth 2.0 standards, mobile specific authentication flows (PKCE), SAML/SSO/OAuth-based attacks, JWT based attacks, and OWASP API Top 10 as they relate to mobile applications.
• Mobile Data Security – Assessment of data storage and protection mechanisms on-device (Keychain, Keystore, Secure Enclave, encrypted databases), secure data transmission, and compliance with regulations/standards such as PDPL, GDPR, CBUAE, CBE, RBI, PCI-DSS, ISO 27001, etc.
• Configuration & Deployment Review – Identification of insecure mobile app configurations, insecure Android/iOS permissions, export settings, build configurations, and protection against debugging, tampering, and repackaging.
• Integration Review – Security assessment of integrations with mobile SDKs, payment gateways, push notification services, third-party libraries, and MDM/MAM platforms.
• Transport Layer Security – Evaluation of TLS implementation, SSL pinning, certificate validation, secure handshake, and protections against MITM attacks in mobile communication channels.
• Reverse Engineering & Tamper Resistance – Experience with mobile reverse engineering tools (e.g., Frida, Objection, JADX, Hopper, Ghidra), bypassing client-side controls, and evaluating obfuscation, anti-debugging, and anti-tampering protections.

Infrastructure Security Assessment

• Database Security – Requirements to enhance security on enterprise grade databases and good understanding on what impacts will the hardening cause on the databases such as SQL, Oracle, Postgres, MySQL, MongoDB, etc.
• Web Server Security – Requirements to enhance security on the enterprise grade web servers such as IIS, Apache Tomcat, JBOSS, etc.
• Infrastructure Assessments – Proven experience in conducting comprehensive infrastructure security assessments across servers, networks, databases, virtualization platforms, and cloud environments.
• Vulnerability Management - Strong expertise in identifying and analyzing vulnerabilities, misconfigurations, and privilege escalation paths within on premises and cloud infrastructures. Experience with vulnerability management programs, including scanning, prioritization, patch governance, and remediation tracking.
• Reviews against Industry Standards - Proficiency in reviewing operating system, middleware, and network device configurations against industry benchmarks (CIS, NIST, vendor best practices) and recommending remediation, Identity and Access Management - Hands-on experience with access control and identity management, including Active Directory, LDAP, IAM policies, and privileged account management.
• User Access Reviews - Demonstrated ability to conduct periodic User Access Reviews to ensure compliance with the principle of least privilege and timely removal of unnecessary accounts.
• Cryptography - Solid understanding of encryption, TLS configurations, certificate lifecycle management, and secure communication protocols.
• Regulatory Assessments - Knowledge of regulatory and compliance requirements (e.g., GDPR, PDPL, CBUAE, CBE, RBI, PCI-DSS, ISO 27001, HIPAA) and ability to assess infrastructure alignment with these standards.

Container Security Assessment

• Container Security Assessment – Proficiency in identifying vulnerabilities and misconfigurations in containerized environments (Docker, Podman, CRI-O) and orchestrators (Kubernetes, OpenShift), with knowledge of container escape techniques and privilege escalation paths.
• Image Security & Hardening – Review and hardening of container images, minimization of base images, removal of unused packages, and ensuring images are signed and sourced from trusted registries.
• Configuration Review – Assessment of container runtime configurations, Kubernetes manifests, Helm charts, security context settings, RBAC policies, and network policies to align with CIS Benchmarks and best practices.
• Access Control & Identity Management – Evaluation of Kubernetes / OpenShift API access controls, role-based access control (RBAC), service accounts, and secrets management to enforce the principle of least privilege.
• User Access Reviews – Periodic review of user and service account permissions in container orchestration platforms to ensure correct access levels and removal of stale accounts.
• Data Security & Compliance – Secure storage of sensitive data in containerized workloads, encryption at rest and in transit, and adherence to PDPL, GDPR, CBUAE, CBE, RBI, PCI-DSS, ISO 27001, and NIST compliance requirements.
• Network Security – Implementation and review of Kubernetes network policies, service mesh security (Istio, Linkerd), ingress/egress restrictions, and protection against lateral movement between pods.
• Transport Layer Security – Ensuring TLS is correctly implemented for pod-to pod, pod-to-service, and service-to-external communications, including certificate rotation and mTLS where applicable.
• Supply Chain Security – Review of CI/CD pipelines for security vulnerabilities, implementation of container image scanning (e.g., Trivy, Anchore, Clair), and software bill of materials (SBOM) validation.
• Runtime Security Monitoring – Use of tools like Falco, Aqua, Prisma Cloud, or Sysdig to detect anomalous behavior, policy violations, and container compromise attempts in real-time.
• Resilience & Incident Response Readiness – Backup and recovery strategy for Kubernetes resources, forensic readiness for containerized workloads, and integration with centralized logging and SIEM systems.
• Vulnerability Management & Patch Governance – Continuous scanning of container images and orchestrator components, timely application of patches, and tracking of CVEs affecting container ecosystems.

CICD Automation Security Assessment

• CI/CD Pipeline Security Assessment – Proficiency in identifying vulnerabilities, misconfigurations, and insecure practices in CI/CD tools (Jenkins, GitLab CI, GitHub Actions, Azure DevOps, Bitbucket Pipelines, etc.) and their integrations.
• Source Code Repository Security – Review of repository configurations, branch protection rules, secret scanning, commit history review for sensitive data exposure, and enforcing signed commits.
• Build & Deployment Process Security – Ensuring integrity of build artifacts, secure artifact storage, and validation that only approved and verified code reaches production.
• Access Control & Identity Management – Review of pipeline user accounts, service accounts, API tokens, and integration keys to enforce least privilege and prevent credential sprawl.
• User Access Reviews – Periodic review of access rights for developers, DevOps engineers, and service accounts involved in CI/CD to ensure correct permissions and timely removal of stale accounts.
• Data Security & Compliance – Secure handling of sensitive data within pipelines (e.g., environment variables, config files, secret managers) in compliance with PDPL, GDPR, CBUAE, CBE, RBI, PCI-DSS, ISO 27001, and other relevant standards.
• Secrets Management – Integration and security of vault solutions (Hashicorp Vault, AWS Secrets Manager, Azure Key Vault, etc.), secret rotation policies, and prevention of plaintext secret storage.
• Pipeline Configuration Review – Ensuring security scanning stages (SAST, DAST, SCA, container scanning) are enforced in CI/CD workflows, with gating policies before deployment.
• Integration Security – Assessment of integrations with third-party tools, cloud services, package registries, and container platforms for secure authentication and data exchange.
• Transport Layer Security – Verification of TLS usage for SCM, build agents, artifact repositories, and deployment targets, with protection against MITM attacks.
• Supply Chain Security – Review of dependencies and build sources for tampering risks, implementation of SBOM generation, dependency scanning, and protection against software supply chain attacks (e.g., dependency confusion, typo squatting).
• Monitoring & Incident Response Readiness – Integration of CI/CD logs with SIEM, anomaly detection for pipeline execution, and forensic readiness for investigating compromised builds.
• Vulnerability Management & Patch Governance – Timely updates of CI/CD tools, plugins, and build environments, along with ongoing vulnerability scanning of build components.

Cryptography

• Cryptographic Principles & Algorithms – Strong understanding of symmetric and asymmetric encryption, hashing, digital signatures, and key exchange protocols (RSA, ECC, AES, SHA-2/3, HMAC, Diffie–Hellman, ECDH, etc.).
• Protocol Security Assessment – Ability to evaluate the security of cryptographic protocols such as TLS, IPsec, SSH, S/MIME, PGP, Signal protocol, and blockchain-related crypto implementations.
• Randomness & Entropy Testing – Knowledge of weak random number generation attacks, entropy analysis, and detection of predictable key generation.
• Key Management & Lifecycle Review – Assessment of secure key generation, storage, rotation, backup, destruction, and usage policies, including compliance with NIST SP 800-57 and related standards.
• Implementation Flaw Detection – Identification of issues like padding oracle vulnerabilities, weak cipher modes (ECB, CBC with no IV randomization), replay attacks, downgrade attacks, and side-channel leaks (timing attacks, power analysis).
• Cryptanalysis Techniques – Familiarity with attacks such as brute-force, meet in-the-middle, differential, and linear plaintext/ciphertext attacks, and birthday attacks. cryptanalysis, chosen
• Transport Layer Security Review – Evaluation of TLS/SSL configurations, cipher suite selection, certificate management, and protection against known attacks (BEAST, POODLE, Heartbleed, ROBOT, Lucky 13).
• Public Key Infrastructure (PKI) Security – Assessment of CA trust chains, certificate issuance policies, OCSP/CRL validation, and root/intermediate certificate protection.
• Secure Hashing & Integrity Verification – Understanding of collision resistance, pre-image resistance, and attacks against outdated hash functions (MD5, SHA-1).
• Cryptographic API & Library Review – Review of cryptographic API usage in applications (OpenSSL, BouncyCastle, libsodium, WebCrypto API, etc.) to detect misuse, insecure defaults, or deprecated algorithms.
• Compliance & Standards Knowledge – Awareness of FIPS 140-3, ISO/IEC 19790, PCI-DSS, and local regulatory requirements related to cryptographic usage.
• Post-Quantum Cryptography Awareness – Familiarity with emerging NIST PQC algorithms and risks associated with current algorithms against quantum computing.

Cloud Security Assessments

• Cloud Security Architecture Review – Should be well-versed with understanding different network topologies used in cloud-native and hybrid cloud environments, should be aware of identity management and role-based access controls in cloud, conditional access policies, advance threat protection, MAM (Mobile Application Management) and MDM (Mobile device Management) via cloud, understanding of how cloud security access broker (CASB) works.
• Cloud Security Posture Management – Should be well-versed in reviewing the complete cloud security posture and should have used tools such as Wiz to ensure that the cloud security posture is maintained at an appropriate level.
• SaaS Security Posture Management – Should be well-versed in reviewing the security posture for SaaS (Software-as-a-Service) applications via the SSPM tool integrations and ensure to maintain sufficient level of security posture in the SaaS offerings that the Bank uses.
• Data Leakage Prevention – Ensure that the data security is maintained in the cloud environments with appropriate storage and data encryption methods and ensuring that the data is not leaked outside the authorized environment.

Security Tooling

The candidate should be well-versed with the below tools / languages.

• Burp Suite
• OWASP ZAP Proxy
• Tenable
• Checkmarx
• Kali Linux
• Metasploit
• Semgrep
• Nuclei (Project Discovery)
• MobSF
• Objection Framework
• Frida toolkit
• Android Emulators
• GitHub
• Visual Studio Code
• Containers – Docker, Containerd, podman or similar
• Containers Orchestration technologies such as Kubernetes or RedHat OpenShift Platform
• Jenkins / Circle CI / Argo CD
• Terraform
• Ansible
• Python
• Rust
• NodeJS
• SSPM tools such as AppOmni
• CSPM tools such as Wiz

Risk Assessment and Reporting

• Demonstrated ability to interpret and translate security requirements mandated by regulatory bodies, oversight functions, and internal governance frameworks into actionable security controls. Ensures these requirements are comprehensively addressed within high-level designs, architectural documentation, and/or agile development processes (e.g., via “Evil Stories” or equivalent mechanisms).
• Capable of engaging with architecture, development, security, and leadership teams to discuss identified risks, recommend mitigations, and present balanced, practical security solutions aligned with business objectives.
• Skilled in analyzing and interpreting vulnerability assessment and penetration testing reports, accurately determining the inherent and residual risks, and assessing their impact and likelihood within the organization’s risk management framework.
• Applies sound risk-based judgment in evaluating exception or deviation requests, ensuring that residual risks are understood, documented, and accepted at the appropriate governance level.
• Demonstrates the ability to influence and drive security improvements through collaboration, education, and advocacy, favoring influence and enablement over enforcement or policing.
• Exceptional written and verbal communication skills, with the ability to clearly articulate complex technical risks, mitigation strategies, and recommendations to both technical and non-technical stakeholders, including executive audiences.
• Experience preparing and presenting risk reports, metrics, and dashboards that provide visibility to senior management and oversight committees, ensuring informed decision-making on security posture and risk exposure.
• Ability to maintain a holistic view of the organization’s security landscape, connecting individual technical findings to broader business and operational risks.
• Demonstrated professionalism, independence, and discretion when managing sensitive risk-related information and discussions.

Soft Skills

• Proven ability to engage and collaborate effectively with diverse stakeholders, aligning their expectations with security objectives.
• A strategic and holistic mindset, capable of balancing security requirements with functional needs through practical, demonstrable solutions, while promoting and applying sound architectural principles to reduce technical debt.
• Confident and assertive presence in project boards and working groups, with the ability to influence discussions and decisions.
• Exceptional written and verbal communication skills, with the capability to present complex technical findings in a clear, concise, and business-friendly manner.
• Resilient under pressure, with a history of meeting challenging deadlines without compromising quality.
• Persuasive and influential in articulating security risks and concerns to varied audiences, including internal IT teams, senior executives, and risk and audit functions.
• Strong understanding of Risk Management Frameworks and hands-on experience implementing security controls.
• Demonstrated decision-making, planning, and time management skills with the ability to work independently.
• Positive, constructive, and solutions-oriented attitude in all professional interactions.

Education

• Bachelor’s degree in computer-related fields such as computer science, Cyber / Information security discipline, or related fields.
• General Information Security: OSCP, CEH, CISA / CISM, CRTP, CRTE or similar
• General Cloud Security: CCSK / CCSP or similar
• Specific Cloud Security: Azure Security, AWS Security, Oracle Security or similar
• Network Security: CCIE – Security or similar.
• Container Security: Certified Kubernetes Security, Red Hat Certified Specialist in Security or similar.

Experience

Must have a minimum of 5 years of experience in information security assessments or penetration testing and at least 3 years of experience in BFSI (Banking, Financial Services, and Insurance) sector. Must have a good understanding of IT systems, infrastructure, and networking, and be exceptionally good with stakeholder management and people management.

Job Type: Full-time

Pay: AED13,000.00 - AED15,000.00 per month

Work Location: In person