What are the responsibilities and job description for the Application Penetration Tester II position at OnDefend LLC?
Job Overview:
We are looking for an Application Penetration Tester II with 3 years of experience, strong communication skills, creativity, innovation, and the ability to manage and resolve complex issues within a dispersed organization.
As an Application Security Penetration Tester II, you will leverage your expertise in application security, utilizing SAST/DAST/SCA tooling to perform comprehensive technical testing. The technical testing will range from source code review to adversarial tradecraft mapping to test and validate security controls of web and mobile applications. Application Penetration Testers are expected and supported to continuously improve their tradecraft and expertise through research, professional development, and experience.
Primary Responsibilities:
- Conduct technical testing of web and mobile applications including but not limited to penetration testing, vulnerability scanning, social engineering, and validating security controls.
- Perform in-depth source code reviews, providing security consulting on findings
- Implement static and dynamic security testing techniques
- Leverage automated security testing and monitoring such as integrating CI/CD pipelines
- Validate security controls around web resources and mobile applications and their backend web services
- Triage, publish, and communicate findings and recommendations to client stakeholders
- Develop comprehensive and accurate reports and presentations for varied stakeholders
- Utilize adversarial tradecraft and cyber threat intelligence to design, emulate, and execute assessments
- Perform innovative research and promote an environment of innovation and knowledge sharing
- Design and propose new penetration assessments based on prior findings and understanding of client infrastructure
- Develop/modify custom tooling or processes to solve or improve identified assessment or program needs
- Other program operational or project initiatives to be assigned
Minimum Qualifications:
- 3 years of experience performing application penetration tests or equivalent experience (i.e. 5 years designing web or mobile applications, with less than 3 years of experience in penetration testing, red team emulation, or purple team operations)
- Comprehensive background in application, network, and system security
- Experience with Windows and Nix systems
- Experience with reading, writing, and editing code written in various programming languages, such as Perl, Python, Ruby, Bash, C/C , C#, and Java
- Experience with security test tooling such as Burp Suite Pro, including identification and use of relevant plugins and extensions
- Proficiency in DAST/SAST/SCA tools like Black Duck, Coverity, Datadog, Chechmarx, Fortify Static Code Analyzer, OWASP ZAP, Acunetix, NetSparker, VeraCode, Plextrac, and Burp Suite.
Preferred Qualifications:
- Experience with conducting reverse engineering on mobile applications, including applications with anti-emulator and obfuscation protections
- Experience with Docker and Kubernetes security
- Experience or familiarity with cloud security practices or penetration tests (AWS, Azure, Oracle)
- Holds at least one industry standard certification such as GWAPT, OSCP, GCIH, GPEN, GXPN, CRTE, CRTP, CEPT, GCPN, eWPT, CASE, GSSP-Java, and GSSP-.NET
- Active contributions to the security community such as research, public CVEs, bug-bounty recognitions, open-source projects, blogs, publications, conferences, etc.
- Experience with IOS and Android operating systems
- Experience with securing and testing API vulnerabilities
Important Note: Please note that OnDefend does not provide visa sponsorship for this position. Applicants must be authorized to work in the United States without the need for visa sponsorship.