Job Specifications
Inclusion without Exception:
Tata Consultancy Services (TCS) is an equal opportunity employer, and embraces diversity in race, nationality, ethnicity, gender, age, physical ability, neurodiversity, and sexual orientation, to create a workforce that reflects the societies we operate in. Our continued commitment to Culture and Diversity is reflected in our people stories across our workforce and implemented through equitable workplace policies and processes.
About TCS:
TCS is an IT services, consulting, and business solutions organization that has been partnering with many of the world’s largest businesses in their transformation journeys for over 55 years. Its consulting-led, cognitive-powered portfolio of business, technology, and engineering services and solutions is delivered through its unique Location Independent Agile delivery model, recognized as a benchmark of excellence in software development. A part of the Tata group, India's largest multinational business group, TCS operates in 55 countries and employs over 607,000 highly skilled individuals, including more than 10,000 in Canada. The company generated consolidated revenues of US $ 30 billion in the fiscal year ended March 31, 2025 [BS1] and is listed on the BSE and the NSE in India. TCS' proactive stance on climate change and award-winning work with communities across the world have earned it a place in leading sustainability indices such as the MSCI Global Sustainability Index and the FTSE4Good Emerging Index.
Role Summary:
The Application Security Engineer will perform end-to-end penetration testing on web applications and APIs to identify security vulnerabilities, assess risk, and drive remediation. The role includes planning and executing manual and automated tests, producing clear and actionable reports, collaborating with engineering teams to fix issues, and ensuring all findings are logged and tracked through closure in the vulnerability management system.
Key Responsibilities: -
Penetration Testing & Assessment
• Plan, scope, and execute web application and API penetration tests across SDLC phases (pre-release and production).
• Perform recon, threat modeling, and attack surface mapping to prioritize test coverage.
• Identify and validate vulnerabilities including authentication/authorization flaws, injection, XSS, SSRF, deserialization, IDOR, insecure direct object references, logic bugs, misconfigurations, and sensitive data exposure.
• Test API endpoints (REST/Graph QL) for input validation, rate limiting, broken object-level authorization (BOLA), and schema/serialization issues.
• Use both automated scanning and manual exploitation to confirm impact, reproducibility, and exploit chains.
Reporting & Remediation Support
• Prepare detailed technical reports with PoCs, severity ratings (CVSS/SLA alignment), affected components, and business impact.
• Provide prioritized remediation guidance with code-level recommendations and secure patterns.
• Log all findings in the vulnerability tracking system (e.g., JIRA, Azure DevOps, ServiceNow, or dedicated VM platforms), ensuring accurate metadata (CWE/CVE, CVSS, asset, environment, owner).
• Track remediation progress, validate fixes, and close findings after re-test.
Tooling & Automation
• Configure, run, and tune DAST or similar tools; integrate results into CI/CD.
• Build and maintain custom scripts for repeatable tests and payload generation.
• Maintain test environments, proxies, and lab infrastructure (containers, mock services).
Required Qualifications & Skills
• Experience: Good years in application security or red teaming with hands-on web/API pen testing.
• Technical Depth:
o Web technologies: HTTP, cookies, sessions, CORS, OAuth2/OIDC, JWT, SSO, CSRF defenses.
o API testing: REST, Graph QL, gRPC, schema validation, pagination, object-level authorization.
o Secure coding: JavaScript/TypeScript, Java/Kotlin,.NET, Python, or Go; ability to read and suggest fixes.
o Cloud/App platforms: AWS/Azure/GCP fundamentals (IAM, WAF, secret management).
• Vulnerability Management: Working knowledge of CVSS scoring, CWE mapping, and SLA-based remediation workflows in platforms like Tenable, Qualys, or custom trackers.
• Soft Skills: Clear technical writing, stakeholder communication, and ability to translate risk into business
Preferred Qualifications
• Experience embedding security testing in CI/CD (GitHub Actions, GitLab CI, Azure DevOps).
• Familiarity with IaC scanning (Terraform, Bicep), container security, and runtime protections (RASP/WAF).
• Experience with mobile API testing and SSO/federation architectures.
Tata Consultancy Services Canada Inc. is committed to meeting the accessibility needs of all individuals in accordance with the Accessibility for Ontarians with Disabilities Act (AODA) and the Ontario Human Rights Code (OHRC). Should you require accommodations during the recruitment and selection process, please inform Human Resources.
Thank you for y