Secure Source Code Reviewer (SAST Specialist)

Client of Salt

You will conduct in-depth manual secure code reviews across technologies including Java/Spring Boot, JavaScript/Node.js, Python, Go, TypeScript, and C#, validating SAST findings, eliminating false positives, and identifying deeper vulnerabilities related to insecure authentication flows, cryptographic misuse, insecure design patterns, and business logic weaknesses.

You will work closely with Security Engineering and DevSecOps teams to improve detection quality, reduce alert fatigue, and help development teams remediate vulnerabilities effectively.

Key Responsibilities:

• Perform detailed manual secure code reviews across critical application components and APIs
• Review authentication and authorization mechanisms, cryptographic implementations, and sensitive data handling logic
• Validate and triage findings generated by SAST tools including Fortify SCA, Semgrep, CodeQL, and GitLab SAST
• Differentiate true positives from false positives and provide developers with clear remediation guidance
• Develop and maintain secure coding standards and framework-specific hardening guidance
• Support engineering teams through secure coding workshops and developer remediation sessions
• Collaborate with DevSecOps teams to improve SAST rule tuning, detection accuracy, and pipeline effectiveness
• Participate in application security architecture reviews and threat modelling exercises
• Contribute to improving the organisation s secure development lifecycle maturity in alignment with NIST SSDF, ISO 27001, and OWASP SAMM

Key Objectives:

• Improve the signal-to-noise ratio of SAST findings
• Reduce false positives across the secure development pipeline
• Ensure all critical-path modules undergo secure code review on a defined rotation
• Raise the overall secure coding maturity across engineering teams
• Identify design- and logic-level vulnerabilities missed by automated tooling