|Preferred GIAC Certifications||GWAPT, GXPN, GPEN, GMOB|
Title: Application Penetration Tester 3
The Application Penetration Tester will assist Asurion in developing truly secure products by providing best-in-class application security penetration testing and security assessment services to the product development organization, while passionately pursuing personal and organizational excellence in the field of application/product security.
Essential duties and responsibilities:
Perform in-depth and full-spectrum application and system penetration tests of internally developed products and enterprise systems.
Identify security risks within applications, network infrastructure and security controls.
Review product and open-source code for the purposes of assessing security and determining weaknesses / vulnerabilities.
In conjunction with application security engineers and product development staff, assist in building threat models of internally developed products and systems for the purposes of efficiency in penetration testing and red-team efforts.
Build and maintain positive and productive working relationships with product development teams and individuals.
Develop security assessment scripts and frameworks and assist in efforts to automate security testing and assessment activities.
Mentor security champions with respect to penetration testing techniques, vulnerability research, and red-team tactics.
Aid in response to product security incidents where application / product security expertise is required.
Participate in blameless post mortems and retrospectives in effort to improve security of products / systems.
Continuously learn and keep abreast of the latest technical developments in the security space.
Perform research into and present on relevant security technology, practices, and threats.
Work closely with a small team of application security and penetration testing staff, in conjunction with product development, to ensure company products and services withstand all foreseen and reasonable attacks.
Here’s what you’ll bring to the team:
BS or MS in Computer Science or Engineering (Degree focus in security a plus) or equivalent / knowledge experience
Scripting and programming experience (Python, Java,.Net)
Experience with security testing tools, such as Metasploit, Burp Suite, Fiddler, Wireshark, etc.
3+ years of hands-on, in-depth experience in application penetration testing and/or red-team activities in support of product development and enterprise goals.
Penetration testing experience on mobile platforms (Android, iOS)
1+ years of experience in software engineering / development.
Knowledge of open security standards such as OWASP ASVS ,NIST.
In-depth knowledge of application security vulnerabilities and best practices.
In-depth knowledge of network security, public cloud security (particularly AWS), PKI, and cryptography.
Strong analytical and problem-solving skills.
Experience mentoring junior analysts/engineers toward professional maturity.
Experience leading small teams of engineers in a fast-paced environment.
Ability to describe vulnerability findings to non-technical professionals.
Excellent communication (oral, written, presentation) skills.
GWAPT, CPT, OSCP, CEH, GMOB, GPEN certifications preferred.
GXPN, OSCE, OSWE, CEPT, OSEE certifications are a plus.
Experience in reverse engineering and tools (IDA Pro, Immunity, Windbg, gdb) desirable.
Track record in vulnerability research and CVE assignments highly desirable.
Experience presenting at major security conferences is a plus.