As a Web Application Penetration Tester joining our team, you will play a pivotal role in ensuring our customers' applications and underlying data are secure. Your expertise will enhance the support we provide to a wide variety of entities, including commercial enterprises and government organizations. Join us and be at the forefront of securing the data our customers rely on, while enjoying a dynamic and collaborative work culture that values innovation, growth, and teamwork.
Responsibilities:
This position operates with minimal government lead supervision supporting the Department of Defense. Our company also has a commercial assessment practice that occasionally utilizes DoD-based team members for additional assessment support:
-
Evaluating a variety of deployed web applications to identify security issues that may affect data availability, reliability, and confidentiality, such as but not limited to the OWASP Top 10
-
Collaborate with customers to understand the intended flow of deployed web applications and evaluate these applications for potential flaws, such as errors in business logic, authentication and authorization flaws, input validation weaknesses, session management vulnerabilities, and other security misconfigurations that could allow deviations from the intended functionality
-
Periodically review public posts regarding vulnerabilities without a public proof-of-concept (PoC) that may be applicable to a target web application or application server. Attempt to reverse engineer these vulnerabilities and develop a working PoC, as applicable to web assets in the client’s environment
-
Utilize source code or binaries, when provided or open source, to focus and prioritize testing efforts. This includes familiarity with static code analysis to identify potential vulnerabilities, understanding the application's architecture, pinpointing critical components and functions, and tailoring penetration testing strategies to efficiently uncover security flaws in the most impactful areas.
-
Support customers by providing guidance on temporary mitigations and permanent remediations. This includes contributing to detailed written reports, offering remote support when necessary, and effectively communicating technical findings to a less technical audience to ensure understanding and proper implementation of security measures.
-
Less frequently, as business needs require, assist with basic network penetration testing tasks, contributing to a broader understanding of the organization's security posture and supporting the overall security assessment process
Requirements:
-
Active DoD 8570 IAT Level I or greater and at least one the following certifications in good standing: OSWA, GWAPT, GXPN, GPEN, OSCP, OSWE
-
Proficiency in using a variety of penetration testing tools, including but not limited to Burp Suite, OWASP ZAP, Metasploit, Nessus, Nmap, and various automated web application scanning tools.
All qualified applicants will receive consideration for employment without regard to race, color, religion, sex (including pregnancy), national origin, disability, veteran status, age, genetic information, or other legally protected status.
