Secure Source Code Reviewer (SAST Specialist)
Application Security | Abu Dhabi | 12-Month Contract | On-Site
We are currently supporting a key enterprise client in Abu Dhabi that is looking to hire an experienced Secure Source Code Reviewer (SAST Specialist) to join their Information Security function on an initial 12-month contract.
This is a highly technical Application Security role focused on manual and tool-assisted secure code review across modern enterprise applications and microservices environments. The successful candidate will play a critical role in improving the quality and effectiveness of secure development practices by identifying vulnerabilities that traditional SAST tooling alone cannot detect. This position sits upstream of penetration testing and is designed to strengthen secure software delivery before vulnerabilities reach production.
The Role
You will conduct in-depth manual secure code reviews across technologies including Java/Spring Boot, JavaScript/Node.js, Python, Go, TypeScript, and C#, validating SAST findings, eliminating false positives, and identifying deeper vulnerabilities related to insecure authentication flows, cryptographic misuse, insecure design patterns, and business logic weaknesses.
You will work closely with Security Engineering and DevSecOps teams to improve detection quality, reduce alert fatigue, and help development teams remediate vulnerabilities effectively.
Key Responsibilities
- Perform detailed manual secure code reviews across critical application components and APIs
- Review authentication and authorization mechanisms, cryptographic implementations, and sensitive data handling logic
- Validate and triage findings generated by SAST tools including Fortify SCA, Semgrep, CodeQL, and GitLab SAST
- Differentiate true positives from false positives and provide developers with clear remediation guidance
- Develop and maintain secure coding standards and framework-specific hardening guidance
- Support engineering teams through secure coding workshops and developer remediation sessions
- Collaborate with DevSecOps teams to improve SAST rule tuning, detection accuracy, and pipeline effectiveness
- Participate in application security architecture reviews and threat modelling exercises
- Contribute to improving the organisation's secure development lifecycle maturity in alignment with NIST SSDF, ISO 27001, and OWASP SAMM
What We're Looking For
- Minimum 3+ years of hands-on secure code review experience
- Strong knowledge of OWASP Top 10 and secure software development principles
- Deep technical expertise across:
- Java / Spring Boot
- JavaScript / Node.js
- Python
- Go
- C#
- REST APIs and microservices architectures
- Keycloak
- Strong understanding of:
- Authentication and authorization flows
- Cryptography implementation and misuse
- API security vulnerabilities
- Secure design principles
- Experience using SAST platforms such as:
- Fortify SCA
- Semgrep
- CodeQL
- GitLab SAST
- Strong scripting and automation capability using Python, Bash, or PowerShell
- Familiarity with NIST CSF 2.0, ISO 27001, MITRE ATT&CK, and UAE IA Regulation
- Relevant security certifications such as OSCP, CISSP, GCIH, or CCSP are advantageous
- Excellent communication skills with the ability to work directly with both engineers and senior stakeholders
Key Objectives
- Improve the signal-to-noise ratio of SAST findings
- Reduce false positives across the secure development pipeline
- Ensure all critical-path modules undergo secure code review on a defined rotation
- Raise the overall secure coding maturity across engineering teams
- Identify design- and logic-level vulnerabilities missed by automated tooling
Please apply to be contacted with further information.
