Remote Penetration Testing Engineer - Application Security

Description:

• The Penetration Testing Engineer – Application Security is a mid-level role for a tester who can independently execute penetration tests within a primary domain of expertise.
• Engineers are offensive security subject matter experts, conducting full assessments with minimal supervision, contributing to methodology improvements, and acting as a point of contact for clients during engagements.
• They are capable of scoping and planning a test in their domain, executing tests, and producing and communicating detailed reports with practical remediation advice.
• Mid-level testers act as the technical client focal within engagements, leading technical execution for assigned projects.
• Typical experience includes approximately 3–5 years of penetration testing experience, with a track record of completed pen tests and proven competencies.
• Domain expertise requires mastery in at least one penetration testing domain, such as Web Application Security, with skills in advanced web vulnerabilities and tools like Burp Suite.
• Technical skills include strong practical skills and tool usage, familiarity with various pen testing tools and techniques, and understanding manual testing techniques.
• Soft skills involve solid communication and consulting skills, the ability to write thorough technical reports, and improved time management and project coordination skills.
• Optional certifications may include OSCP, GWAPT, GPEN, OSWE, which reinforce domain expertise.

Requirements:

• Candidates must have 3+ years of hands-on experience in web application penetration testing, with a strong understanding of the OWASP WSTG methodology.
• They should apply structured testing techniques to assess authentication, session management, access control, input validation, error handling, and business logic.
• Proficiency in using tools like Burp Suite Pro, OWASP ZAP, Postman, and custom scripts to execute and document each step of the WSTG is required.
• Candidates must demonstrate proficiency in manual testing and exploit development, including crafted payloads for various vulnerabilities.
• Understanding and testing authentication mechanisms, including OAuth, SAML, MFA implementations, and JWT, is essential.
• They should perform access control testing across roles and privilege boundaries, identifying privilege escalation opportunities.
• Validation of input validation and output encoding to uncover various flaws is necessary.
• Candidates must assess session management implementations for potential issues.
• Experience in client-side testing using browser dev tools and proxy-based inspection is required.
• Understanding API-specific attack surfaces and testing them using dynamic and manual methods is necessary.
• Comfort with code-assisted testing (grey-box) when source is available is expected.
• Scripting skills in Python, Bash, or JavaScript to automate tasks are required.
• Candidates should be able to test across various environments and maintain a methodical process following the OWASP WSTG.

Benefits:

• Evolve Security offers a progressive, startup-like culture in a high-growth segment with minimal bureaucracy and rapid impact.
• Employees engage in a fast-paced and challenging environment with opportunities to grow their talents.
• Immersive cybersecurity and technical training is provided through Evolve Security Academy.
• Competitive compensation, healthcare, 401(k) match, and flexible paid time off are included.
• The position allows for hybrid/remote work with annual vacation reimbursement and parental leave.
• Employees benefit from engaged leadership within the company.