Torchora
Back to Home

Key Responsibilities and Required Skills for Web Security Proxy Engineer

πŸ’° $120,000 - $180,000

SecurityNetwork EngineeringDevSecOps

🎯 Role Definition

The Web Security Proxy Engineer is a specialized security and networking engineer who architects, deploys, and operates reverse proxies, API gateways, and web application firewalls (WAFs) to protect web applications and APIs. This role blends network engineering, application security, and platform automation: you will design TLS termination, implement WAF rules and rate limiting, integrate proxies with CI/CD and container platforms (e.g., Kubernetes Ingress, Envoy, Istio), tune performance and caching, and maintain observability and incident response processes for web traffic. The ideal candidate is experienced with NGINX, Envoy, HAProxy, cloud load balancers, OWASP Top 10 mitigations, TLS/PKI, and security automation (Terraform, Ansible, CI/CD).

πŸ“ˆ Career Progression

Typical Career Path

Entry Point From:

  • Network Engineer (with web proxy / load-balancer experience)
  • Application Security Engineer / Web App Penetration Tester
  • DevOps / SRE with exposure to ingress, proxy, or API gateway operations

Advancement To:

  • Senior Web Security / Gateway Architect
  • Security Engineering Manager
  • Platform Security or Cloud Security Architect

Lateral Moves:

  • Site Reliability Engineer (SRE) for edge platforms
  • Cloud Networking Engineer
  • Application Security Lead

Core Responsibilities

Primary Functions

  • Design, deploy, and maintain reverse proxy and API gateway architectures (NGINX, Envoy, HAProxy, Traefik, Istio) to secure and scale north-south and east-west application traffic while ensuring minimal latency and high availability.
  • Implement and tune Web Application Firewall (WAF) rules and managed rule sets (ModSecurity, F5 ASM, Cloud WAFs) to protect applications against OWASP Top 10 threats, bots, and automated abuse without causing false positives that impact availability.
  • Manage TLS/SSL termination and end-to-end encryption including certificate lifecycle automation (Let’s Encrypt, Vault PKI, AWS Certificate Manager), TLS 1.3 configuration, OCSP stapling, HSTS, and cipher-suite hardening to ensure robust cryptographic posture.
  • Architect and operate rate limiting, request size limits, connection limits, and IP reputation controls at the proxy edge to mitigate DDoS amplification, brute force login attempts, and abuse patterns.
  • Integrate proxies and gateways with identity and authorization systems (OAuth2, OIDC, JWT verification, mTLS) to enforce per-API and per-route access control policies.
  • Lead the design and implementation of API gateway policies for request/response transformation, schema validation, API versioning, and header manipulation to support developer teams and API lifecycle management.
  • Plan and execute proxy and WAF capacity planning, performance tuning, benchmarking, and load testing to maintain predictable SLAs and identify scaling bottlenecks across cloud and on-prem clusters.
  • Deploy and manage Kubernetes ingress controllers and service mesh ingress strategies (Nginx Ingress, Envoy/Istio, Gateway API) to secure containerized workloads and support canary/rolling deployments.
  • Automate infrastructure and configuration as code for proxies and security controls using Terraform, Ansible, Helm charts, and GitOps patterns to ensure reproducible, auditable deployments.
  • Build and maintain robust observability for web security: structured logs, distributed tracing, metrics (Prometheus/Grafana), synthetic checks, and dashboards that monitor proxy performance and security signals.
  • Integrate proxy and WAF logs with SIEM/SOC workflows (Splunk, ELK/Opensearch, Sumo Logic) and create detection rules, enrichment pipelines, and alerting for suspicious traffic patterns and incidents.
  • Perform threat modeling and risk assessments for incoming web traffic flows, propose mitigation strategies, and collaborate with application teams to remediate vulnerabilities and harden code and infrastructure.
  • Lead incident response for web traffic security events including live traffic mitigation, rule tuning, traffic blackholing/geo-blocking, and forensic capture (tcpdump/pcap) to support root cause analysis.
  • Collaborate with development teams to shift-left security by integrating static and dynamic scanning (SAST/DAST), API contract checks, and pre-deployment proxy/WAF testing into CI/CD pipelines.
  • Conduct regular security audits and penetration testing focused on the proxy/WAF layer, validate exploit mitigations, and act on findings to reduce the attack surface.
  • Maintain and evolve routing policies, health checks, sticky sessions, and cache-control strategies to optimize availability and end-user experience while upholding security requirements.
  • Implement and manage edge caching, CDN integrations (Cloudflare, Akamai), and caching headers at proxy layer to reduce origin load and improve performance without compromising security controls.
  • Develop and maintain detailed runbooks, playbooks, and on-call procedures for common proxy incidents, configuration rollbacks, and emergency traffic engineering.
  • Coach and mentor junior engineers, conduct cross-functional security training for platform and application teams, and drive organization-wide best practices for web traffic security.
  • Maintain compliance-related configurations and documentation (PCI, SOC2, ISO) related to web traffic encryption, access controls, logging retention, and change management as part of audits.
  • Evaluate, pilot, and adopt new proxy, edge security, and API gateway technologies and services to improve security posture, developer velocity, and operational efficiency.
  • Implement secret management and key rotation practices (HashiCorp Vault, AWS Secrets Manager) for TLS keys, API keys, and service credentials used by proxies and gateways.
  • Manage and maintain multi-cloud edge and load balancing configurations (AWS ALB/NLB, GCP Load Balancing, Azure Front Door) and provide recommendations for hybrid/handoff traffic flows.
  • Define and maintain service-level objectives (SLOs) and service-level indicators (SLIs) for proxy-based services and contribute to post-incident reviews to improve reliability and security.
  • Drive cost optimization for edge and proxy infrastructure while balancing performance and security requirements, including autoscaling policies and instance sizing.

Secondary Functions

  • Support ad-hoc security incident investigations and provide tactical proxy rule updates or traffic mitigations as required.
  • Contribute to the organization's web security roadmap, including evaluation of new WAF technologies, edge platforms, and API security controls.
  • Collaborate with application, platform, and security teams to translate security requirements into proxy configuration, ingress policies, and deployment pipelines.
  • Participate in sprint planning and agile ceremonies with DevOps, Platform, and Security teams to prioritize web gateway features, technical debt, and incident remediation tasks.
  • Assist in onboarding new applications to standardized proxy and API gateway configurations and perform architecture reviews for secure exposure of services.

Required Skills & Competencies

Hard Skills (Technical)

  • Deep hands-on experience with reverse proxies and load balancers: NGINX, Envoy, HAProxy, Traefik, F5.
  • Experience operating API gateways (Kong, Apigee, AWS API Gateway) and service mesh ingress (Istio, Linkerd) in production.
  • Proficiency configuring and tuning Web Application Firewalls (ModSecurity, AWS WAF, Cloudflare WAF, F5 ASM) and custom rule development to reduce false positives.
  • Strong TLS/PKI skills: certificate lifecycle automation, OCSP, CSR generation, TLS configuration, and hashing/cipher-suite hardening.
  • Solid understanding of HTTP/HTTPS, HTTP/2, gRPC, WebSocket, and header manipulation for security and performance.
  • Automation and Infrastructure-as-Code: Terraform, Ansible, Helm, Kubernetes manifests, and GitOps workflows for proxy infrastructure.
  • Experience with container orchestration and ingress controllers on Kubernetes, including Ingress-NGINX and Envoy-based solutions.
  • Logging, monitoring, and observability tooling for security: ELK/Opensearch, Splunk, Prometheus, Grafana, Jaeger/Zipkin.
  • Familiarity with SIEM, IDS/IPS integrations, and security alerting workflows.
  • Knowledge of identity & access protocols: OAuth2, OpenID Connect, JWT, and mTLS for service-to-service authentication.
  • Performance tuning and load testing experience using tools like Locust, JMeter, k6, or Siege.
  • Scripting and tooling: Python, Go, Bash for automation, rule generation, log parsing, and operational tooling.
  • Network fundamentals: TCP/IP, BGP basics (for edge deployments), NAT, routing, and packet capture/analysis tools (tcpdump, Wireshark).
  • Cloud platform experience (AWS, GCP, Azure) with edge/load balancer services and IAM integration.
  • Familiarity with security frameworks and compliance standards (OWASP, PCI-DSS, SOC2).

Soft Skills

  • Strong communicator who can translate technical risks into business impact and write clear runbooks and RFCs.
  • Collaborative team player who partners closely with application developers, platform engineers, and security operations.
  • Analytical problem-solver with demonstrated ability to troubleshoot complex traffic, latency, and security incidents under pressure.
  • Customer-focused mindset: balances security controls with developer productivity and end-user experience.
  • Detail-oriented with a strong bias for automation, repeatability, and observability.
  • Ability to prioritize multiple operational and project tasks in a fast-paced, agile environment.
  • Mentoring and knowledge-sharing aptitude to elevate team skills and cross-functional understanding.
  • Proactive continuous learner who stays current with web security threats, protocols, and emerging proxy technologies.

Education & Experience

Educational Background

Minimum Education:

  • Bachelor's degree in Computer Science, Information Security, Computer Engineering, or equivalent professional experience.

Preferred Education:

  • Master's degree in Information Security, Computer Science, or related field.
  • Relevant certifications (CISSP, OSCP, GIAC Web Application Penetration Tester GWAPT, Certified Kubernetes Administrator CKA) a plus.

Relevant Fields of Study:

  • Computer Science
  • Information Security / Cybersecurity
  • Network Engineering
  • Software Engineering

Experience Requirements

Typical Experience Range: 3–8 years of total experience in networking, web or application security, or platform engineering with at least 2+ years specifically operating proxies, WAFs, or API gateways in production.

Preferred: 5+ years specializing in web security/proxy operations with demonstrable experience architecting and running large-scale ingress/gateway platforms across cloud and Kubernetes environments, and experience participating in on-call rotations and incident response for traffic security events.

Explore More Careers