Search by job, company or skills

DayThree

AI & Application Security Specialist

DayThree
Shah Alam, Malaysia, Selangor
4-8 Years

This job is no longer accepting applications

  • Posted 13 days ago

Job Description

Primary Purpose of Role

This role is responsible for providing hands-on technical security assurance across internally developed applications, AI-enabled systems, APIs, integrations, and supporting hosting or cloud environments.

The position acts as a bridge between GRC, Digital and IT teams to ensure security risks are identified early within the Software Development Lifecycle, validated through technical review, and translated into actionable remediation plans.

The role focuses on application security, AI/LLM security, secure SDLC, API key and secrets management, technical risk assessment, and security control validation. The role is not intended to function as a full red-team role, but may coordinate penetration testing, vulnerability assessment, or external security testing where required.

Key Responsibilities

1. Application Security and Secure SDLC

  • Assess security practices across the Software Development Lifecycle.
  • Participate in application design, architecture, and data flow reviews for new and existing systems.
  • Perform secure code reviews to identify vulnerabilities such as injection flaws, authentication weaknesses, insecure data handling, exposed secrets, and insecure API usage.
  • Work closely with Digital teams to embed secure coding practices into development and deployment activities.
  • Define security checkpoints before production deployment, including code review, security testing, approval, and remediation closure.
  • Review applications developed using AI-assisted coding tools to ensure security risks are identified before release.
  • Recommend and support implementation of SAST, DAST, secret scanning, and dependency scanning tools.

2. AI / LLM Application Security

  • Assess AI-enabled applications for prompt injection, excessive agency, data leakage, insecure output handling, token abuse, and misuse of AI functions.
  • Develop and maintain prompt injection test cases for AI applications.
  • Validate AI input and output controls across all applicable input paths, including text, voice, API, webhook, file upload, workflow automation, and third-party integrations.
  • Ensure AI systems have appropriate input validation, output restriction, token limit, rate limit, usage quota, and abuse prevention controls.
  • Validate that system prompts, internal instructions, business logic, API keys, and sensitive configuration are not exposed to users or external parties.
  • Support AI risk assessments, AI impact assessments, and AI security reviews from a technical perspective.
  • Review AI-related incidents and provide technical input for root cause analysis and corrective actions.

3. API Key and Secrets Management

  • Define and enforce secure handling of API keys, tokens, credentials, and other secrets.
  • Ensure secrets are not hardcoded in source code, committed to repositories, exposed in frontend code, stored in public files, included in logs, or shared through insecure communication channels.
  • Perform or coordinate secret scanning across repositories, commit history, deployment files, configuration files, .env files, and hosting environments.
  • Support secure API key rotation, access restriction, ownership assignment, and usage monitoring.
  • Recommend secure storage methods such as secret managers, protected environment variables, and controlled access mechanisms.
  • Review and validate remediation actions relating to API key leakage or credential exposure.

4. Technical Risk Assessment

  • Conduct system-level technical risk assessments for applications, infrastructure, APIs, integrations, and cloud environments.
  • Identify threats, vulnerabilities, likelihood, impact, and possible exposure across:

- Web and mobile applications

- APIs and integrations

- AI-enabled applications

- Servers and hosting environments

- Cloud platforms such as AWS

- Workflow automation tools such as n8n

- Identity and access management controls.

  • Translate technical findings into clear risk statements, business impact, and remediation actions.
  • Support risk-based decision-making, including risk treatment, risk acceptance, and compensating control assessment.

5. Infrastructure, Hosting and Cloud Security Assurance

  • Review security configurations across hosting, server, cloud, and infrastructure environments.
  • Assess access controls, file permissions, logging, monitoring, backup, encryption, network exposure, and hardening controls.
  • Review whether hosting environments such as cPanel are appropriate for production or AI-enabled applications.
  • Assess cloud architecture and configuration, including IAM, security groups, encryption, logging, monitoring, backup, and recovery readiness.
  • Validate implementation of hardening standards and remediation actions.
  • Recommend secure hosting improvements or migration to more controlled cloud environments where appropriate.

6. Vulnerability Management and Security Testing

  • Perform controlled internal security testing within approved scope.
  • Review vulnerability scan results and validate remediation effectiveness.
  • Identify recurring vulnerabilities and root causes.
  • Coordinate vulnerability assessment, penetration testing, or specialised AI security testing with external vendors where required.
  • Review external testing reports and work with responsible teams to ensure findings are remediated.
  • Track remediation progress and ensure closure of identified issues.

7. Audit, Compliance and GRC Support

  • Provide technical support for audits, certifications, client security assessments, and regulatory reviews.
  • Help bridge the gap between technical implementation and compliance expectations.
  • Support alignment with relevant frameworks and standards, including ISO/IEC 27001, ISO/IEC 42001, SOC 2, PCI DSS, OWASP Top 10, OWASP API Security Top 10, and OWASP LLM/GenAI guidance.
  • Prepare technical security assessment reports, remediation updates, and evidence for audit purposes.
  • Support incident response activities by assisting with technical investigation, evidence collection, exposure assessment, root cause analysis, and remediation validation.
  • Support GRC in evaluating whether implemented controls are effective and sustainable.

8. Developer Enablement and Advisory

  • Provide practical security guidance to Digital and IT teams.
  • Develop secure coding checklists, AI security checklists, API key handling standards, and secure deployment guidelines.
  • Conduct knowledge sharing on application security, AI security, secrets management, prompt injection risks, and secure SDLC practices.
  • Constructively challenge technical teams where security risks are identified.
  • Promote security-by-design and proactive risk management across development activities.

Required Knowledge and Skills

  • Application security and secure coding practices.
  • OWASP Top 10 and common web application vulnerabilities.
  • OWASP API security risks.
  • Secure SDLC and DevSecOps practices.
  • AI/LLM security risks, including prompt injection, data leakage, token abuse, insecure output handling, and excessive agency.
  • API key, token, credential, and secrets management.
  • SAST, DAST, secret scanning, dependency scanning, and vulnerability scanning tools.
  • Web application architecture and API integrations.
  • Cloud and hosting security, preferably AWS.
  • Identity and access management concepts.
  • Logging, monitoring, and incident detection fundamentals.
  • Ability to read and understand code sufficiently to identify security flaws.
  • Ability to analyse architecture diagrams, data flows, and system configurations.
  • Ability to translate technical weaknesses into business risk and remediation actions.

Job Requirements

  • Bachelor's Degree in Computer Science, Information Security, Information Technology, Engineering, or related field.
  • 4–8 years of experience in one or more of the following areas:

- Application Security

- Secure SDLC / DevSecOps

- Cybersecurity Engineering

- Cloud Security

- Technical IT Risk

- Security Testing

- Vulnerability Management

  • Experience working with development teams and/or infrastructure teams.
  • Experience in secure code review, application security testing, technical risk assessment, or security control validation.
  • Familiarity with development environments, repositories, CI/CD pipelines, APIs, and cloud or hosting platforms.
  • Strong analytical and problem-solving skills.
  • Able to work independently within a GRC-led function.
  • Good communication skills and ability to explain technical risks clearly to non-technical stakeholders.
  • Practical, hands-on, and solution-oriented mindset.

Preferred Qualifications

Any of the following certifications will be an added advantage:

  • Certified Secure Software Lifecycle Professional
  • AWS Certified Security – Specialty
  • AWS Solutions Architect
  • CISSP
  • CCSP
  • Other relevant application security, cloud security, or secure development certifications.

Key Deliverables

  • Secure SDLC security checklist.
  • AI application security checklist.
  • Prompt injection testing checklist and validation results.
  • API key and secrets management standard.
  • Application and AI security assessment reports.
  • Hosting and cloud security assessment reports.
  • SAST / DAST / secret scanning implementation recommendations.
  • Vulnerability and remediation tracking reports.
  • Technical input for incident reports, RCA, and corrective action plans.
  • Audit evidence for technical security controls.

More Info

Job Type:
Permanent Job
Industry:
Other
Function:
Information Security
Employment Type:
Full time

About Company

DayThree

Job ID: 149099661

Jobs by Skill - IT
Jobs by Skill - Non IT
International Jobs
Jobs in Top Cities
Popular Jobs
Last Updated: 14-06-2026 06:03:57 PM
Homejobs in Shah AlamAI & Application Security Specialist