Job Description
As a Security Engineering Intern (AppSec), you will be embedded in the application security team at Upstox, working hands-on to identify, assess, and help remediate security vulnerabilities across our web, mobile, and API surfaces. This is not a bug-bounty role — we’re looking for an engineer who can deeply understand application flows, reason about risk, and contribute meaningfully to secure product development. You will work closely with engineering and product teams to build security into the SDLC, participate in architecture reviews and threat modelling, and help triage and manage our bug bounty program. Beyond testing, you will also contribute to security automation initiatives and internal tool development projects — writing scripts and building utilities that scale our security capabilities and reduce manual effort across the team.
We are looking for individuals who are self-driven, quick starters with a strong ownership mindset.
What You’ll Own
Your role will involve:
- Perform security testing across Web, Mobile, and API surfaces — identify vulnerabilities, understand application flows end-to-end, and recommend effective mitigations.
- Participate in security architecture reviews and threat modelling sessions alongside engineering and product teams.
- Triage and manage vulnerabilities reported through the bug bounty program — assess impact, validate findings, and coordinate remediation with engineering teams.
- Write and maintain automation scripts (Python/Golang) to scale security testing and integrate security checks into CI/CD pipelines.
- Review AWS configurations and cloud infrastructure for common misconfigurations and security gaps.
- Evaluate the security posture of microservices and containerized environments (Docker, Kubernetes).
- Collaborate with developers to ensure secure implementation of authentication and authorisation mechanisms (OAuth, SAML, OIDC).
- Stay current on emerging security threats, including AI-related security issues, and help assess their relevance to Upstox’s product and infrastructure.
- Contribute to internal security tooling, documentation, and knowledge-sharing within the organisation.
Who You Are
- Currently pursuing or completing a Bachelor’s/Master’s degree in Computer Science, Information Technology, or a related field, with graduation in 2026.
- Solid understanding of web application, mobile application, and API security fundamentals, including OWASP Top 10 for Web, Mobile, and API.
- Hands-on experience performing security testing across web, mobile, and API surfaces — not just finding bugs, but understanding the full application flow
- Familiarity with AWS and awareness of common cloud misconfigurations (e.g., exposed S3 buckets, over-permissive IAM roles, insecure security groups)
- Comfortable writing automation scripts in Python or Golang to support security testing and tooling
- Good understanding of authentication and authorisation protocols — OAuth 2.0, SAML, and OIDC — and their common vulnerabilities.
- Basic understanding of CI/CD pipelines, containerization (Docker, Kubernetes), and microservices architecture from a security perspective.
- Basic familiarity with common security issues in AI/ML systems (e.g., prompt injection, model data leakage, adversarial inputs)
- Strong ability to understand and articulate mitigation strategies, not just identify vulnerabilities — we hire engineers, not bug hunters
- Curious, self-driven, and eager to learn — able to operate with autonomy in a fast-paced environment.
Good-to-haves:
- Red teaming experience is a strong plus.
- Security certifications such as OSCP, GWAPT, CEH, or equivalent are a bonus. We strongly value skills over certifications.
- Prior experience in fintech or financial services security is an advantage
