Application Penetration Tester/Consultant
Posted on Sep 5, 2020 by Pivot Point Security
Do you like puzzles? Do you live, sleep, and breath App Sec? Are you an advanced and experienced Application Penetration Tester looking for the next step? And finally, and most importantly, can you communicate complex issues to a client in a way anyone might understand?
Then maybe, youre the one were looking for. We need technically competent team players, that love application security, have a natural thirst for knowledge, and aspire to share this gift with our team and clients. The right candidate never accepts second best but instead is always looking for a smarter way, lives our core values, and is as comfortable talking with senior management about Information Security, and a business analyst about the applications usage as they are about session entropy or CSRF with a developer.
We are looking for the right person to join our team as an Application Security Assessment tester/consultant. The right person will drive the growth of the Application Security service area by crafting and delivering the service as well as establishing a strategic direction. The right person is highly experienced with application security testing, including OWASP ASVS knowledge, and possesses superior written and verbal communication skills that will provide clear and actionable guidance at an appropriate level to clients in a consultative fashion to best mitigate Application Security risk.
We expect this person will:
* Establish strategic direction for the Application Security service and executes the strategy to achieve service resiliency, revenue, profit and client satisfaction goals.
* Ensures the Application/Network service has the staff training, QA guidance and tools necessary to achieve operational and service delivery goals.
* Participates as subject matter expert for Sales, Marketing, & Biz Dev for all things Application Security.
* Lead critical Application/IoT projects and deliver Application services at a level that ensures sufficient understanding of current industry conditions/trends to ensure effective Application service management.
* Meet/exceed defined contribution goals for services you will deliver.
* Achieve target Net Promoter Scores for your service by managing client relationships.
* Earn and gain the trust and respect of the PPS team.
* Other responsibilities as defined.
The right person HAS the following characteristics (these are non-negotiable):
* Personal integrity, a highly transparent nature, and a mind-set of mutual benefit.
* Thrives on and is worthy of self-managing the projects they are responsible for (micro-management is a four-letter word at PPS).
* Has very high Self-Expectation (self-motivated, self-aware, self disciplined, self-improving, and self-governed). You hold yourself to a higher standard than others do.
* Enjoys work and life, values a balance, and is looking for a company that shares those ideals (understands that you dont get a second chance to see your childs first school play and that it doesnt matter if the report gets done at 3PM or 10PM, if it gets done).
* Highly consultative and collaborative nature; someone who enjoys helping others achieve ambitious business and information assurance goals.
* Effectively and proactively communicates in writing/speech both internally/externally from the server room to the board room.
* The ability to work from anywhere as this role is remote/virtual in nature.
* A good sense of humor and the ability to laugh at themselves.
The right person usually has the following experience (these are somewhat negotiable):
* Demonstrated a solid understanding of application security, including the OWASP top 10 and the OWASP ASVS with experience in discovering, verifying, and exploiting these vulnerabilities.
* 5 plus years of verifiable and significant application security auditing and penetration testing experience (with a preference toward ASVS assessments) and well-written deliverables that paint accurate stories our clients can understand.
* In lieu of OWASP ASVS experience, experience in assessing application security architecture and/or code review.
* Managerial experience including hiring, onboarding, mentoring, evaluating, and leading information security teams; inspire and engage the team to retain top talent and create a high-performance culture.
* Demonstrated knowledge of and ability to create Proof-of-Concept exploits for common vulnerabilities (and be able to narrate the issue, exploitation, and remediation in simple, easy to understand language):
* XML External Entity (XXE) Exploitation.
* Cross-Site Request Forgery (CSRF).
* Injection style vulnerabilities such as SQL and command Injection.
* Ability to discuss vectors for sensitive data exposure within various web application frameworks.
* Experience developing a service offering for delivery and managing a team.
* Experience working with sales and marketing, as well as participating in business development to drive growth of a service.
* Demonstrated knowledge of the common approaches to remediating OWASP Top 10 and ASVS identified issues.
* Working knowledge of SDLC best practices.
* Experience with API penetration testing.
* Experience with programming or scripting languages such as; Python, Ruby, Java; data structures such as XML & JSON; and protocols & communication methods like SOAP, REST, AJAX, etc.
* Demonstrated communication and presentation skills, to include the ability to effectively work with clients in a consulting environment.
The right person often has one or more of the following attributes (these are negotiable):
* IoT testing experience.
* A demonstrated understanding of application development.
* Experience as a developer and/or secure coding best practices in a mainstream language.
* Experience performing Secure Code Reviews.
* Experience or willingness to perform public speaking.
* Offensive Security Web Expert Certification.
* Offensive Security Certified Professional Certification
* Offensive Security Certified Expert Certification.
* CREST Register Penetration Tester.
* CREST Certified Web Application Tester.
* GIAC Exploit Researcher and Advanced Penetration Tester (GXPN) certification.
* GIAC Penetration Tester (GPEN) Certification.
* GIAC Web Application Penetration Tester Certification.
* ISC2 Certified Information Systems Security Professional (CISSP).
* A desire to take on roles of increasing responsibility including defining services, managing teams and coordinating resources.
Were a small, but growing, company. So, we do our best to keep the right people at PPS (most of our team has been together for 6+ years) by aspiring to:
* A high-performance work environment with extremely passionate, driven, and experienced technical professionals. At Pivot Point Security, you will find colleagues you can learn from and respect.
* A management system where all employees participate in establishing the companys goals/initiatives and have ready visibility into the companys performance. Were working hard to create processes and metrics to measure our, *and your) success.
* An environment where relationships are important, internally, and externally. We provide the highest levels of customer service and strive to always exceed our clients expectations.
* A competitive salary (more than most) with a F100 level benefits package (e.g., medical, dental, vision, HCFSA, 401K w/ company match, vacation and personal days).
* Providing individuals, the opportunity to develop by giving them the resources required, surrounding them with great colleagues, and allowing them to take on new/big challenges.
* Work location flexibility.
As a company, we:
1. Tell the Truth (Honesty is almost always the best policy)
2. Do the Right Thing (Keep commitments, over-communicate, be transparent, confident, worthy of/thrive on freedom)
3. Smile (Life is too short not to likeability is nearly as important as competence)
4. Seek Win-Win (Think cooperative, not competitive - seek mutual benefit in all interactions)
5. Provide Clear and Actionable Guidance
7. Are Customer Focused
At Pivot Point Security, we dont just accept difference we celebrate it, we support it, and we thrive on it for the benefit of our employees, our clients, and our community. Pivot Point Security is proud to be an equal opportunity workplace.