Lead Web App Pen Tester

Description

• Recommend code changes to eliminate vulnerabilities
• Hack the Box Bug Bounty Hunter (CBBH) / Web Exploitation Expert (CWEE)
• Utilize sustainable methods to automate finding feedback to generate developer work items and trigger re-scan when associated work items are closed
• Hack the Box Penetration Testing Specialist (CPTS) / AD Pentesting Expert (CAPE)
• Consume a variety of application security tools (DAST, SAST, SCA, Credential Scanning, IAC scanning) to secure web applications during development and production run-time
• Conduct penetration tests on web applications and underlying infrastructure for vulnerabilities using both manual and automated techniques
• Automate security testing at various stages within the CI/CD pipeline
• Work with the software and product teams to help ensure applications are designed and implemented securely during the SDLC

Requirements

• Dynamic application security testing (DAST) through Metasploit, Burp Suite, OWASP ZAP, Acunetix, etc.
• Experience with defense-in-depth strategies to help mitigate existing risk within applications
• INE Security Web Application Penetration Tester eXtreme (eWPTX)
• Security tooling automation in CI/CD pipelines and IDE interfaces including Static Application Security Testing (SAST) and Static Application Analysis (SCA) solutions such as Veracode, CheckMarx, AppScan, X-Ray, Synopsys, or Snyk
• Experience coordinating with application teams to drive security by design principles
• Experience testing modern applications in cloud-native tech stacks
• Knowledge of infrastructure operations across databases, network, and system administration
• A self-starter who can advance the application security program and follow-through ideas to completion
• Offensive Security Certified Professional (OSCP) / Experienced (OSEP)
• Experience with mobile application penetration testing
• 5+ years total experience in a technical role with at least 3+ year of professional experience penetration testing
• Experience writing comprehensive reports that clearly demonstrate the risk of vulnerabilities to developers and technical leadership
• Bachelor’s Degree required from an accredited, not for profit university or college (preferably in Computer Science/Cybersecurity)
• Those certifications can be substituted with considerable experience in CTFs, impressive CVEs, or impressive bug bounty reports.
• Experience with common programming language: C# (preferred), Java, C/C++, Python, or Go
• Experience with web application penetration testing, identifying and exploiting attack chains to evaluate the severity of vulnerabilities within a web application
• Industry relevant professional certifications such as:
• A track record of commitment to prior employers
• Hands-on experience implementing security tools into CI/CD pipelines
• Ability to mentor and train team members to prioritize security efforts effectively
• Ability to communicate with different levels of leadership conveying risk and driving urgency for risk remediation
• In-depth understanding of various assessment tools
• Demonstrate risk of detected issues to both technical and non-technical audiences
• Scripting/programming skills - Python, PowerShell, GoLang, Perl, JavaScript, .NET, API Integration

Benefits

• Employee stock purchase plan
• Access to CoStar Group’s Diversity, Equity, & Inclusion Employee Resource Groups
• Life, legal, and supplementary insurance
• Paid time off
• 401(K) retirement plan with matching contributions
• Virtual and in person mental health counseling services for individuals and family
• Tuition reimbursement
• On-site fitness center and/or reimbursed fitness center membership costs (location dependent), with yoga studio, Pelotons, personal training, group exercise classes
• Complimentary gourmet coffee, tea, hot chocolate, fresh fruit, and other healthy snacks
• Commuter and parking benefits
• Comprehensive healthcare coverage: Medical / Vision / Dental / Prescription Drug

Training + Development

Interview process

Visa Sponsorship

Security clearance