A fintech company with operations spanning the globe is looking to hire a Lead Penetration Tester to be the lead for the organization on a team of 12 Pentesters. In this role, you will secure software and applications that power the global digital market. Work with 1,500+ software, QA, and operations engineers to secure applications during design, development, and production. The candidate will utilize threat modeling, white box application security analysis, and grey box penetration testing. This position will collaborate with software development teams, DevOps, and security to drive and shape the way our employees and engineers build, deploy, and operate applications.
This position is located in Atlanta and offers the following hybrid schedule options:
- 3 days onsite, 2 days remote
- Fully remote possible, based on circumstances and fit
- Work with product teams to help ensure applications are designed and implemented securely during the SDLC
- Develop a repeatable framework to scale application security controls across 200+ applications
- Consume a variety of application security tools (SAST, DAST, SCA, Credential Scanning, IAC scanning) to secure web applications during development and production run-time.
- Penetration test web applications and underlying infrastructure for vulnerabilities using both manual and automated techniques
- Demonstrate risk of detected issues to both technical and non-technical audiences
- Utilize sustainable methods to automate finding feedback to generate developer work items and trigger re-scan when associated work items are closed.
- Recommend code changes to eliminate vulnerabilities
- Automate security testing at various stages within the CI/CD pipeline
- Develop secure coding standards and training across multiple application frameworks and technologies
- Minimum 6 years total experience in a technical role such as software engineer or security engineer
- Relevant experience areas (experience required in at least 3):
- Design, implementation, and operation of a secure software development lifecycle
- Experience with web application penetration testing and common attack vectors
- Experience with secure application development
- Experience with defense-in-depth strategies to help mitigate existing risk within applications
- Software development experience in a common programming language: C# (preferred), Java, C/C++, Python, or Go
- Security tooling automation in CI/CD pipelines and IDE interfaces including Static Application Security Testing (SAST) and Static Application Analysis (SCA) solutions such as Veracode, CheckMarx, AppScan, X-Ray, Synopsys, or Snyk
- Dynamic application security testing (DAST) through Metasploit, Burpsuite, OWASP ZAP, Acunetix, etc.
- Industry relevant professional certifications:
- ISC-2 CISSP
- Offensive Security Web Assessor (OSWA) / Expert (OSWE)
- Offensive Security Certified Profession (OSCP / OSCE)
- SANS GIAC Penetration Tester (GPEN)
- SANS GIAC Cloud Penetration Tester (GCPN)
- SANS GIAC Exploit Researcher and Advanced Penetration Tester (GXPN)
Preferred Qualifications and Skills
- In-depth understanding of various assessment tools
- Knowledge of infrastructure operations across databases, network, and system administration
- Ability to communicate with different levels of leadership conveying risk and driving urgency for risk remediation.
- Experience coordinating with application teams to drive security by design principles
- Ability to mentor and train team members to prioritize security efforts effectively
- A self-starter who can advance the application security program and follow-through ideas to completion.
- Hands-on experience implementing security tools into CI/CD pipelines.
- Experience testing serverless cloud deployments