SDE- I (Security)

About the job

About Navi

Navi is one of the fastest-growing financial services companies in India providing Personal & Home Loans, UPI, Insurance, Mutual Funds, and Gold. Navi's mission is to deliver digital-first financial products that are simple, accessible, and affordable. Drawing on our in-house AI/ML capabilities, technology, and product expertise, Navi is dedicated to building delightful customer experiences.

Founders: Sachin Bansal & Ankit Agarwal

Know what makes you a “Navi_ite” :

1. Perseverance, Passion and Commitment

• Passionate about Navi’s mission and vision

• Demonstrates dedication, perseverance, and high ownership

• Goes above and beyond by taking on additional responsibilities

2. Obsession with high-quality results

• Consistently creates value for the customers and stakeholders through high-quality outcomes

• Ensuring excellence in all aspects of work

• Efficiently manages time, prioritizes tasks, and achieves higher standards

3. Resilience and Adaptability

• Adapts quickly to new roles, responsibilities, and changing circumstances, showing resilience and agility

Position Summary

We are seeking a proactive and technically curious Security Engineer I to join our product security team. In this role, you will be on the front lines of defending our products, focusing heavily on Vulnerability Assessment and Penetration Testing (VAPT) across our web applications, mobile apps (iOS/Android), and backend APIs. Because we believe in scaling our defenses, a major component of this role involves writing automation to streamline repetitive testing and operational tasks. This is a fantastic opportunity for an early-career engineer who loves breaking things, writing code to build custom security tools, and collaborating with development teams to fix vulnerabilities.

Key Responsibilities

• Application Penetration Testing: Conduct routine VAPT on web applications, REST/GraphQL APIs, and mobile applications (iOS and Android) to identify security flaws before they reach production.

• Security Automation: Design, write, and maintain custom scripts and automation tools (primarily in Python, or another preferred language like Go/Bash) to streamline vulnerability scanning, log parsing, and reporting workflows.

• Vulnerability Triage & Validation: Review alerts from automated security scanners (SAST/DAST), filter out false positives, and manually validate suspected vulnerabilities.

• Developer Collaboration: Work directly with software engineering teams to clearly communicate the impact of identified vulnerabilities and provide actionable remediation guidance based on the OWASP Top 10.

• Tool Maintenance: Assist in integrating, configuring, and tuning open-source and commercial security testing tools within our deployment pipelines.

• Reporting & Documentation: Draft clear, concise penetration testing reports detailing attack vectors, proofs of concept (PoCs), and mitigation strategies.

Required Qualifications

• Experience: 0–2 years of experience in application security, penetration testing, or software engineering (including strong internships, bug bounty experience, or intensive cybersecurity programs).

• VAPT Knowledge: Hands-on understanding of the OWASP Top 10 (Web and Mobile) and the ability to manually exploit common vulnerabilities (e.g., XSS, SQLi, IDOR, improper API authorization).

• Scripting & Automation: Strong proficiency in Python (or similar languages like Go, Ruby, or Bash). You should be comfortable interacting with APIs, automating tool executions, and manipulating data via code.

• Security Tooling: Familiarity with standard penetration testing tools such as Burp Suite, OWASP ZAP, Postman, Nmap, or mobile-specific tools like MobSF.

• Core Fundamentals: Solid understanding of how the web works (HTTP/HTTPS, TCP/IP, DNS), API architectures and basic mobile application structures (APKs/IPAs).