Penetration Tester

The Senior Software Engineer III is primarily responsible for penetration testing a variety of environments based on methodical adherence to attack-scoring frameworks. They will build, deploy, and maintain new security automation and orchestration tooling to integrate scanning and monitoring for compliance within existing pipelines. They also review and guide internal teams in developing more secure codebases, while educating them on best practices to build a strong security-first culture.

The following are essential accountabilities :

In-Depth Penetration Testing & Threat Modeling

Conduct ongoing internal and 3rd party vendor penetration testing and auditing aligned with compliance and legal objectives.

Perform threat modeling in accordance with OWASP Top 10, MITRE ATT&CK, and similar attack-scoring frameworks.

Monitor, test, and proactively report on current threats and vulnerabilities to respective teams.

Research and educate on emerging threats within similar environments and landscapes, along with offering remediation solutions for such.

Security Tooling, Automation, & Orchestration

Build, ship, and maintain various security packages to internal application codebases for automation.

Identify vulnerable dependencies across the organization and work with individual teams to resolve them.

Install programmatic measures to prevent and mitigate repeat vulnerability occurrences.

Integrate security monitoring within existing CI / CD pipelines. Work with Ansible and Jenkins is a plus.

Build complex regex and other pattern identification scripts and parsing to identify potential injection attempts.

Building and integrating APIs from disparate systems for orchestrated audits and scans.

Knowledge and experiences with data protection concepts such as : (a) data obfuscation, anonymization, & de-identification; (b) secrets management; and (c) vault services.

Experience building application parameterized / prepared-statement query interfaces a plus.

Secure-SDLC (sSDLC) Guidance, Codebase Review, & Support

Develop detailed security design and procedures across the enterprise to drive a standardized set of requirements and align with internal policies.

Lead secure-SDLC and product security maturity efforts to adopt a shift-left approach to security.

Conduct platform / service workload design and architecture reviews, as well as audit source code for compliance.

Monitoring, Logging, & Reporting

Parse a variety of debug logs for determining behavioral baselines to better formulate granular internal policies and standards.

Orchestrate log ingestion into tools and tuning rulesets for advanced metrics reporting on enterprise-wide security posture.

Build leaderboards and reporting interfaces on current and forecasted KPIs and risk indicators.

Other General Duties

Provide product security related coaching and mentoring to elevate security expertise of development teams.

Take ownership of security decisions made in the engineering organization by helping organization members make clear decisions in alignment with organizational goals, backing decisions made, and taking responsibility for their success.

Foster a company-wide positive culture across by having conversations based on organizational strategy and principles to create alignment.

Ensure security goals are understood and continuously worked towards across the organization.

Takes ownership and responsibility for organizational security practices and processes and their continuous improvement.

Effectively handle risk, change, and uncertainty across the organization.

Facilitate organization-wide discussions, ensuring that everyone has an opportunity to share their opinion and be heard, and that discussion outcomes are tied to stated goals.

Actively advance a culture of documentation and knowledge sharing across the organization.

Respond in a timely manner to on-call security notifications when scheduled on monthly rotation.

The above statements are intended to describe the general nature and level of work being performed. They are not intended to be construed as an exhaustive list of all responsibilities, duties and skills required of employees in this position.

We are a company committed to creating diverse and inclusive environments where people can bring their full, authentic selves to work every day. We are an equal opportunity / affirmative action employer that believes everyone matters. Qualified candidates will receive consideration for employment regardless of their race, color, ethnicity, religion, sex (including pregnancy), sexual orientation, gender identity and expression, marital status, national origin, ancestry, genetic factors, age, disability, protected veteran status, military or uniformed service member status, or any other status or characteristic protected by applicable laws, regulations, and ordinances. If you need assistance and / or a reasonable accommodation due to a disability during the application or recruiting process, please send a request to HR@insightglobal. com.

To learn more about how we collect, keep, and process your private information, please review Insight Global's Workforce Privacy Policy : https : / / insightglobal.com / workforce-privacy-policy / .

Experience with AWS or other cloud platforms

Experience with MySQL

Any credentials from the following certification bodies : ISC2, ISACA, CompTIA, GIAC, AWS, Azure, TOGAF, SABSA

Participation in bug hunting / bug bounty communities is a plus.

Experience with PCI / GDPR / or CCPA a plus.

5-15 Years of Experience of Penetration Testing, with a focus on Web Application Testing

Experience with Kali Linux Tools (kali. org / tools / ) such as Burp, Zap or Metasploit, OR Burp Suite, or Kali Linux Alternatives.

Metasploit, burp suite, Zap, Nessus

Web application penetration testing apps open source

Experience with Vulnerability Scanning