Security Consultant (Secure Code Review)
NetSPI
IT
India · Pune, Maharashtra, India
Posted on Feb 26, 2026
Title: Security Consultant (Secure Code Review Practice)
Location: Pune, MH
NetSPI® pioneered Penetration Testing as a Service (PTaaS) and leads the industry in modern pentesting. Combining world-class security professionals with AI and automation, NetSPI delivers clarity, speed, and scale across 50+ pentest types, attack surface management, and vulnerability prioritization. The NetSPI platform streamlines workflows and accelerates remediation, enabling our experts to focus on deep dive testing that uncovers vulnerabilities others miss. Trusted by the top 10 U.S. banks and Fortune 500 companies worldwide, NetSPI has been driving security innovation since 2001.
NetSPI is on an exciting growth journey as we disrupt and improve the proactive security market. We are looking for individuals with a collaborative, innovative, and customer-first mindset to join our team. Learn more about our award-winning workplace culture and get to know our A-Team at www.netspi.com/careers.
Join the mission as a Security Consultant (Secure Code Review). These individuals will primarily serve as a resource for delivery of client assessment services and contribute to practice development. Individuals who are passionate about findings vulnerabilities in source code and identifying secure coding best practices should consider applying.
Core Competencies:
- This position requires an understanding of technology, enterprise security and risk management.
- Incumbent should have experience with application security assessment and testing, as well as demonstrate competencies in problem solving, client service, written and verbal communications, and project execution. Incumbent should adhere to high standards of ethics, integrity and display professionalism.
- Finally, incumbent should possess strong consulting skills.
Primary Duties:
- Proven ability to identify security vulnerabilities in source code across various programming languages and frameworks including Java, .Net, JavaScript, Python, and more.
- Experience using, configuring, and triaging findings from Static Application Security Testing (SAST) tools such as Veracode, Checkmarx or Semgrep.
- Proven track record in delivering several assessments involving static analysis and manual code review. The consultant should excel in taint tracking across data and control flow paths from source to sink and be skilled at identifying mitigation controls that may affect a finding's exploitability.
- Experience identifying and reviewing third-party vulnerabilities in source code using software composition analysis tools. The consultant should be adept at researching CVEs to assess exploitability factors and perform reachability analysis to determine whether a vulnerable library poses an actual risk.
- Strong understanding of build tools (Maven, Gradle) and package managers (npm, pip), with the ability to navigate project structures and dependency configurations during review.
- Proven ability to work effectively with developers and application stakeholders, providing clear remediation guidance and contextual explanations for identified vulnerabilities.
- Ability to train and mentor developers on understanding, describing, and remediating vulnerabilities identified during engagements.
Minimum Qualifications:
- Minimum of two years of hands-on secure code review experience across multiple languages and frameworks, with proficiency in analyzing source code against established secure coding guidelines.
- Knowledge of exploiting web applications and understanding of the OWASP Top 10 issues, including ability to identify and remediate vulnerabilities in source code.
- Bachelor’s degree in computer science/engineering or equivalent.
Preferred Qualifications:
- Experience in detecting, analyzing, and providing recommendation guidance on security vulnerabilities in at least one of the following languages: Java, C#, PHP, Python, Perl, C/C++, SQL, JavaScript.
- Hands-on experience conducting security focused static analysis using commercial SAST tools such as Veracode, Checkmarx, Semgrep, AppScan Source, Coverity, Fortify, or SonarQube.
- Professional programming experience in at least one server-side programming language.
- Ability to explain risk and business impact of security vulnerabilities in source code to variety of audience.
- Master’s degree in computer science/ engineering or equivalent.
