A fintech company with operations spanning the globe is looking to hire a Lead Penetration Tester to be the lead for the organization on a team of 12 Pentesters. In this role, you will secure software and applications that power the global digital market. Work with 1,500+ software, QA, and operations engineers to secure applications during design, development, and production. The candidate will utilize threat modeling, white box application security analysis, and grey box penetration testing. This position will collaborate with software development teams, DevOps, and security to drive and shape the way our employees and engineers build, deploy, and operate applications.
This position is located in Atlanta and offers the following hybrid schedule options:
3 days onsite, 2 days remote
Fully remote possible, based on circumstances and fit
Responsibilities
Work with product teams to help ensure applications are designed and implemented securely during the SDLC
Develop a repeatable framework to scale application security controls across 200+ applications
Consume a variety of application security tools (SAST, DAST, SCA, Credential Scanning, IAC scanning) to secure web applications during development and production run-time.
Penetration test web applications and underlying infrastructure for vulnerabilities using both manual and automated techniques
Demonstrate risk of detected issues to both technical and non-technical audiences
Utilize sustainable methods to automate finding feedback to generate developer work items and trigger re-scan when associated work items are closed.
Recommend code changes to eliminate vulnerabilities
Automate security testing at various stages within the CI/CD pipeline
Develop secure coding standards and training across multiple application frameworks and technologies
Basic Qualifications
Minimum 6 years total experience in a technical role such as software engineer or security engineer
Relevant experience areas (experience required in at least 3):
Design, implementation, and operation of a secure software development lifecycle
Experience with web application penetration testing and common attack vectors
Experience with secure application development
Experience with defense-in-depth strategies to help mitigate existing risk within applications
Software development experience in a common programming language: C# (preferred), Java, C/C++, Python, or Go
Scripting/programming skills - Python, PowerShell, GoLang, Perl, JavaScript, .NET, API Integration
Security tooling automation in CI/CD pipelines and IDE interfaces including Static Application Security Testing (SAST) and Static Application Analysis (SCA) solutions such as Veracode, CheckMarx, AppScan, X-Ray, Synopsys, or Snyk
Dynamic application security testing (DAST) through Metasploit, Burpsuite, OWASP ZAP, Acunetix, etc.
Industry relevant professional certifications:
ISC-2 CISSP
Offensive Security Web Assessor (OSWA) / Expert (OSWE)
Offensive Security Certified Profession (OSCP / OSCE)
SANS GIAC Penetration Tester (GPEN)
SANS GIAC Cloud Penetration Tester (GCPN)
SANS GIAC Exploit Researcher and Advanced Penetration Tester (GXPN)
Preferred Qualifications and Skills
In-depth understanding of various assessment tools
Knowledge of infrastructure operations across databases, network, and system administration
Ability to communicate with different levels of leadership conveying risk and driving urgency for risk remediation.
Experience coordinating with application teams to drive security by design principles
Ability to mentor and train team members to prioritize security efforts effectively
A self-starter who can advance the application security program and follow-through ideas to completion.
Hands-on experience implementing security tools into CI/CD pipelines.
Experience testing serverless cloud deployments