API Security Engineer

Job Summary:
We are seeking a seasoned API Security Engineer with 8–10 years of hands-on experience in application and API security across cloud-native, containerized environments. The ideal candidate will play a critical role in designing and enforcing robust API security practices across enterprise-grade platforms. You will collaborate with development, DevOps, and security operations teams to ensure APIs are secure by design, resilient in production, and compliant with industry standards.

Responsibilities:
Analyze and secure RESTful and GraphQL APIs across internal, partner, and third-party integrations.
Implement OAut..0, OIDC, JWT, and API key-based authentication and authorization.
Build and enforce security policies through API gateways such as Apigee, Kong, Mulesoft, AWS API Gateway, or Azure API Management.
Perform API threat modeling, risk assessments, and penetration testing.
Integrate security testing tools (e.g., OWASP ZAP, Burp Suite, Postman) into CI/CD pipelines.
Monitor for API abuse, misconfiguration, broken access control, and excessive data exposure.
Collaborate with developers to apply secure coding standards and address OWASP API Top 10 issues.
Develop and maintain documentation for API security best practices.
Support log analysis, incident response, and forensic investigation related to API traffic and data.
Advocate for Zero Trust API architectures and scalable token management strategies.
Work across cloud and containerized environments (AWS/GCP/Azure + Docker/Kubernetes).

Required Qualifications:
8–10 years of total experience in Information Security, AppSec, or Cloud Security.
3–5 years focused specifically on API security.
Proficiency with OAut., OpenID Connect, JWT, mTLS, and HMAC signatures.
Strong experience with API gateway platforms and WAF configuration.
Deep understanding of OWASP Top 10 (API & Web) vulnerabilities and remediation techniques.
Knowledge of DevSecOps practices, security automation, and CI/CD tools.
Familiarity with cloud-native security (AWS/GCP/Azure) and container security (Docker, Kubernetes).
Scripting skills in Python, Shell, or JavaScript for tooling and automation.
Strong analytical, documentation, and communication skills.

Preferred:
Security certifications (e.g., CISSP, CSSLP, GWAPT, APIsec)
Experience with runtime protection or API abuse detection platforms
Exposure to zero-day threat analysis and SIEM/SOAR tools