Job Description

Web Application Penetration Tester

As a Web Application Penetration Tester joining our team, you will play a pivotal role in ensuring our customers' applications and underlying data are secure. Your expertise will enhance the support we provide to a wide variety of entities, including commercial enterprises and government organizations. Join us and be at the forefront of securing the data our customers rely on, while enjoying a dynamic and collaborative work culture that values innovation, growth, and teamwork.

Responsibilities: This position operates with minimal government lead supervision supporting the Department of Defense. Our company also has a commercial assessment practice that occasionally utilizes DoD-based team members for additional assessment support:

• Evaluating a variety of deployed web applications to identify security issues that may affect data availability, reliability, and confidentiality, such as but not limited to the OWASP Top 10
• Collaborate with customers to understand the intended flow of deployed web applications and evaluate these applications for potential flaws, such as errors in business logic, authentication and authorization flaws, input validation weaknesses, session management vulnerabilities, and other security misconfigurations that could allow deviations from the intended functionality
• Identify and analyze potential attack chains by evaluating how individual vulnerabilities can be combined to exploit the application, and provide comprehensive mitigation strategies
• When using automated scanning tools, manually confirm identified or tentative issues, and ensure that the coverage provided by these tools meets the customers' expectations
• Periodically review public posts regarding vulnerabilities without a public proof-of-concept (PoC) that may be applicable to a target web application or application server. Attempt to reverse engineer these vulnerabilities and develop a working PoC, as applicable to web assets in the client's environment
• Utilize source code or binaries, when provided or open source, to focus and prioritize testing efforts. This includes familiarity with static code analysis to identify potential vulnerabilities, understanding the application's architecture, pinpointing critical components and functions, and tailoring penetration testing strategies to efficiently uncover security flaws in the most impactful areas.
• Support customers by providing guidance on temporary mitigations and permanent remediations. This includes contributing to detailed written reports, offering remote support when necessary, and effectively communicating technical findings to a less technical audience to ensure understanding and proper implementation of security measures.
• Less frequently, as business needs require, assist with basic network penetration testing tasks, contributing to a broader understanding of the organization's security posture and supporting the overall security assessment process
• This position requires a hybrid onsite work schedule and occasional travel to other locations.

Requirements:

• Bachelor's degree and 5+ years recent experience in offensive cyber security targeting web applications required; having prior experience elsewhere in information technology or cyber security fields is a plus. Education can be substituted by solid experience in the field.
• Active DoD 8570 IAT Level I or greater and at least one of the following certifications in good standing: OSWA, GWAPT, GXPN, GPEN, OSCP, OSWE
• Active DoD Top Secret clearance
• An understanding of common web application vulnerabilities and a willingness to learn as new vulnerabilities are discovered and documented
• Ability to communicate effectively, while conveying highly technical concepts to both technical and nontechnical stakeholders
• Familiarity with at least one common web-related programming language
• Familiarity with working under both Windows and at least one *nix-like OS; having a common certification demonstrating familiarity with administering an OS is a plus
• Proficiency in using a variety of penetration testing tools, including but not limited to Burp Suite, OWASP ZAP, Metasploit, Nessus, Nmap, and various automated web application scanning tools.
• Coding/Scripting experience a plus

All qualified applicants will receive consideration for employment without regard to race, color, religion, sex (including pregnancy), national origin, disability, veteran status, age, genetic information, or other legally protected status.

Job Tags

Similar Jobs