Manager/Senior Manager - Platform Security Specialist

About GeM Government eMarketplace is a unified digital platform that facilitates end-to-end procurement of goods and services by various government departments, organizations, and public sector undertakings (PSUs). Our Honourable Prime Minister’s concerted efforts to harness the power of digital platforms to achieve ‘Minimum Government, Maximum Governance’ led to the genesis of GeM in 2016. GeM provides a paperless, cashless and contactless ecosystem for government buyers to directly purchase products and services from pan-India sellers and serviceproviders through an online platform. GeM covers the entire gamut of procurement process, right from vendor registration and item selection by buyers to receipt of goods and facilitation of timely payments. GeM has envisioned to utilise the agility and speed that come along with a digital platformcreated with a strategic intentto reinvigorate publicprocurement systems and bring about a lasting change for the underserved as well as the nation.Built on the pillars of Efficiency, Transparency and Inclusivity, GeM has emerged as a digital tool in nation’s interest, aimed at catalyzing excellence in public procurement. To know more about us, please visit-You may also followus on- : TwitterLinkedInKoo AppYouTubeFacebookWhat is it like to work at GeM? Opportunity to work with a team of highlypassionate professionals from Private and Government sector Unbounded space for creativity and innovation. Agile and collaborative work environment Highly transparent and open work culture Work- Life balance Various kinds of healthcovers (Insurance) for individual and family. A great opportunity to learn and hone your skills.Compensation : GeM offers competitive salary and other additional benefits .Type of employment : This is a contractual role under Project Management Unit (PMU) of GeM.Location : This position is based in Delhi.Role Overview We are seeking a Platform Security specialist with hands-on expertise in offensive testing, client-side exploitation, and architectural hardening to uncover and remediate vulnerabilities in GeM and new portal, which is currently under development. This role will lead structured diagnostic assessments—including session management, context token validation, API replay protection, cross-window/browser exploitation, and fraud detection—while also executing real-world ethical hacking simulations to expose weaknesses before adversaries do.You will design and enforce zero-trust client–server models, implement tamper-evident protocols, and ensure that critical business logic remains secure in our micro-frontend and microservices architecture.Key Responsibilities 1. Offensive Security & Ethical Hacking Performfull-spectrum penetration testing(frontend, backend, APIs) targeting: React micro frontends and React Native mobile apps Java Spring Boot and Ruby on Rails backend services Integration points (API gateways, service orchestrations) Simulateclient-side tamperingvia: Browser developer tools (DOM manipulation, JS injection) Network request interception/replay Cross-tab/window state manipulation Conductdiagnostic assessmentsas per security questionnaire: Session & Search Management Audit search session ID generation and isolation Test multiple-tab/multiple-window handling Verify that L1 (lowest price) determinations are server-authoritative Assess persistence and cryptographic signing of search results Purchase Token & Validation System Analyze purchase API payloads for session binding & tokenization Verify token one-time use & binding to search sessions Detect cross-search purchase vulnerabilities Cross-Window & Browser Security Evaluate browser fingerprinting & cross-window manipulation detection Test developer tools / DOM tamper detection capabilities API Security & Replay Protection Test request idempotency & replay attack resilience Audit depth of server-side validation beyond authentication Check request–response integrity & response signing mechanisms Fraud Detection & Monitoring Assess anomaly detection coverage & event correlation Verify completeness of audit trails for forensic reconstruction Architecture-Level Security Map trust boundaries between client and server Identify risks from client-side state manipulation 2. Defensive Architecture & Hardening Architectcontext-tokenandpayload-signingsystems to bind requests to sessions, actions, and parameters. Define and enforcecontent security policy ( CSP) ,Trusted Types ,Sub-resource Integrity (SRI)for all frontend assets. Implementreplay prevention mechanisms ,idempotency keys , andanti-fraud telemetry . Hardenstate managementto ensure critical decisions and calculations are backend-only. 3. Monitoring & Detection Developclient-side security monitoring : DOM mutation detection Service Worker–based egress guard CSP/SRI violation reporting Integrate client telemetry with backendSIEMfor real-time detection of tampering and fraud. Establish continuoussecurity regression testingpipelines in CI/CD. 4. Business Logic & Procurement Security • Identify and test forbusiness rule bypassesthat may allow manipulation of procurement workflows (e.g., bid extension, cancellation, or L1 price leakage). • Identify and assess workflows forbid manipulation risks , including collusion, proxy bidding, and last-minute sniping strategies. • Ensure thatbusiness-critical workflowsaretamper-proof, auditable, and enforce compliancewith government procurement norms.Educational Qualification Essential: B. Tech in computer science/IT/Software Engineering from a reputed institute/ UniversityRequired Skills & Experience 8+ years inapplication security, penetration testing, or security architecture Mastery ofweb and API exploitation techniques(cross-site scripting (XSS), cross-site request forgery (CSRF), replay attacks, logic flaws). Hands-on withsecurity testing tools : Burp Suite, OWASP ZAP, Postman scripting, custom fuzzers.Desired Skills & Experience Proven ability to designtoken-based authorization ,session isolation , andstate synchronizationsecurity. Strong knowledge ofJava Spring BootandRuby on Railssecurity practices. Experience withbrowser security models(CSP, Trusted Types, SRI, sandboxing). Familiarity withfraud detection systemsandaudit logging best practices . Certifications: OSCP, OSWE, CEH, GWAPT, or similar.Preferred Domain Experience: E-Procurement/Financial Systems Security (Preferred) - Experience with e-procurement fraud patterns preferred - Understanding of government procurement compliance requirements - Knowledge of bid manipulation and price manipulation attack vectorsPreferred Qualifications Background in securingmicro frontend / microservice architectures . Experience withworkflow orchestrations(Camunda 8, IBM BAMOE 9.1). Familiarity withthreat modelingandMITRE ATT&CK for Web .Success Metrics Identified & remediated vulnerabilities in all diagnostic questionnaire categories. Zero critical security findings in post-release penetration tests. Increased detection rate ofclient-side and API tamperingattempts. Measurable improvement in fraud prevention and audit trail completeness.GeM selection committeereserves the rightto relax or extend the eligibility criteriaand educational qualifications. In case the numbers of applications receivedare very high, GeM reservesthe right to shortlist candidates and invite only shortlisted candidates for interview round. The crucial date for determining eligibility will be the last date of receiptof applications. No applications shallbe entertained under any circumstances after the stipulated date. Incomplete applications shall be rejected. GeM reserves the right to shortlist candidates for interview. Applicants shouldnote that mere fulfillment of minimum eligibility criteria may not ensure consideration for short listing for interview. GeM will not entertain any correspondence on this subject and decisions of GeM will be final in all matter.

Apply Now