The Application Penetration Tester will assist Asurion in developing truly secure products by providing best-in-class application security penetration testing and security assessment services to the product development organization, while passionately pursuing personal and organizational excellence in the field of application/product security.
Responsibilities:
- Perform in-depth and full-spectrum application and system penetration tests of internally developed products and enterprise systems.
- Identify security risks within applications, network infrastructure and security controls.
- Review product and open-source code for the purpose of assessing security and determining weaknesses / vulnerabilities.
- In conjunction with application security engineers and product development staff, assist in building threat models of internally developed products and systems for the purposes of efficiency in penetration testing and red-team efforts.
- Build and maintain positive and productive working relationships with product development teams and individuals.
- Develop security assessment scripts and frameworks and assist in efforts to automate security testing and assessment activities.
- Mentor security champions with respect to penetration testing techniques, vulnerability research, and red-team tactics.
- Provide assistance in response to product security incidents where application / product security expertise is required.
- Participate in blameless postmortems and retrospectives in effort to improve security of products / systems.
- Continuously learn and keep abreast of the latest technical developments in the security space.
- Perform research into and present relevant security technology, practices, and threats.
- Work closely with a small team of application security and penetration testing staff, in conjunction with product development, to ensure company products and services withstand all foreseen and reasonable attacks.
Requirements:
- BS or MS in Computer Science or Engineering.
- Scripting and programming experience (Python, Java,.Net)
- Experience with security testing tools, such as Metasploit, Burp Suite, Fiddler, Wireshark, etc.
- Hands-on, in-depth experience in application penetration testing and/or red-team activities in support of product development and enterprise goals.
- Penetration testing experience on mobile platforms (Android, iOS)
- Experience in software engineering / development.
- Knowledge of open security standards such as OWASP ASVS ,NIST.
- In-depth knowledge of application security vulnerabilities and best practices.
- In-depth knowledge of network security, public cloud security (particularly AWS), PKI, and cryptography.
- Strong analytical and problem-solving skills.
- Ability to describe vulnerability findings to non-technical professionals.
- Excellent communication (oral, written, presentation) skills.
- GWAPT, CPT, OSCP, CEH, GMOB, GPEN certifications preferred.
- Experience in reverse engineering and tools (IDA Pro, Immunity ,Windbg, gdb) desirable.
- Track record in vulnerability research and CVE assignments highly desirable.
- Experience presenting at major security conferences is a plus.
- This position may require some weekend and evening assignments as well as availability during off-hours for participation in scheduled and unscheduled activities.
