Application Penetration Tester

As an Application Security Penetration Tester, you will be entrusted with the critical responsibility of safeguarding web applications and REST APIs from potential threats. Your role will require a deep understanding of the OWASP Top 10 and SANS 25, as these frameworks will guide your efforts in identifying and mitigating security vulnerabilities. Your daily tasks will involve performing thorough security assessments of third-party libraries, analyzing dependencies, and conducting both automated and manual code reviews. You will be adept at uncovering a range of security issues, including Cross-Site Request Forgery (CSRF), Cross-Site Scripting (XSS), SQL Injection, and Privilege Escalation, and you will not only identify these vulnerabilities but also provide actionable recommendations for remediation. Mastery of tools like BurpSuite is essential, as it will be your primary instrument in executing dynamic and penetration security testing. Furthermore, you will be expected to write comprehensive reports that detail your findings and suggest enhancements to bolster system security. In this role, you will also serve as a pivotal bridge between development teams and stakeholders, ensuring that security requirements are clearly communicated and understood. Your ability to define, maintain, and enforce application security best practices will be crucial in maintaining the integrity of the software development lifecycle. You will be involved in software security architecture and design reviews, ensuring that security is integrated from the ground up. Familiarity with Continuous Integration and Continuous Deployment (CI/CD) is necessary, as you will be responsible for integrating and automating security tools within DevOps processes. **Required Skills:** + Serve as a liaison between development teams and stakeholders to understand and formulate security requirements. + Define, maintain, and enforce application security best practices. + Deep understanding of OWASP Top 10, SANS 25 + Perform third-party libraries security assessment and dependency analysis. + Conduct vulnerability assessment and manual/automated code review of Java and Scala applications to find security vulnerabilities (CSRF, XSS, SQL Injection, Privilege Escalation, etc.) and recommend remediation. + Analyze scan reports from varied tools (SAST, DAST and SCA) to identify the issues, interpretate, and provide recommendation to remediate the vulnerabilities across a variety of applications, programming languages, and platforms + Conduct static, dynamic and penetration security testing of Web Applications and REST APIs. + Performs software security architecture and design reviews. + Write comprehensive reports including assessment-based findings, outcomes, and propositions for further system security enhancement. + Identify and demonstrate vulnerabilities to application owners and recommend remediation for security vulnerabilities. + Knowledge of scripting language to integrate and automate security tools within DevOps CI/CD processes. **Required Experience** : + 3 years of experience in Secure Code Review, specifically with languages such as Scala, Java, JavaScript and Spring Framework + 3 years of practical experience with Static Analysis Security Testing (SAST) and Dynamic Analysis Security Testing (DAST), + 3+ years of hands-on experience with manual penetration testing of Web Applications and REST APIs using BurpSuite Pro and Postman/Bruno + Deep understanding of Secure Coding best practices and DevSecOps principles + Proficiency of OWASP Top 10 and SANS 25 standards and testing guidelines + Knowledge of Continuous Integration and Continuous Deployment (CI/CD), AWS Security principles, Jenkins and GitHub **Desired Certification** : GPEN, GWAPT, OSCP, or CompTIA PenTest **Compensation Ranges** Compensation ranges for ASM Research positions vary depending on multiple factors; including but not limited to, location, skill set, level of education, certifications, client requirements, contract-specific affordability, government clearance and investigation level, and years of experience. The compensation displayed for this role is a general guideline based on these factors and is unique to each role. Monetary compensation is one component of ASM's overall compensation and benefits package for employees. **EEO Requirements** It is the policy of ASM that an individual's race, color, religion, sex, disability, age, sexual orientation or national origin are not and will not be considered in any personnel or management decisions. We affirm our commitment to these fundamental policies. All recruiting, hiring, training, and promoting for all job classifications is done without regard to race, color, religion, sex, disability, or age. All decisions on employment are made to abide by the principle of equal employment. Physical Requirements The physical requirements described in "Knowledge, Skills and Abilities" above are representative of those which must be met by an employee to successfully perform the primary functions of this job. (For example, "light office duties' or "lifting up to 50 pounds" or "some travel" required.) Reasonable accommodations may be made to enable individuals with qualifying disabilities, who are otherwise qualified, to perform the primary functions. **Disclaimer** The preceding job description has been designed to indicate the general nature and level of work performed by employees within this classification. It is not designed to contain or be interpreted as a comprehensive inventory of all duties, responsibilities and qualifications required of employees assigned to this job. 120000 EEO Requirements It is the policy of ASM that an individual's race, color, religion, sex, disability, age, gender identity, veteran status, sexual orientation or national origin are not and will not be considered in any personnel or management decisions. We affirm our commitment to these fundamental policies. All recruiting, hiring, training, and promoting for all job classifications is done without regard to race, color, religion, sex, veteran status, disability, gender identity, or age. All decisions on employment are made to abide by the principle of equal employment.