Remote Penetration Testing Engineer - Application Security

at Evolve Security

Posted 2 days ago 4 applied

Description:

  • The Penetration Testing Engineer – Application Security is a mid-level role for a tester who can independently execute penetration tests within a primary domain of expertise.
  • Engineers are offensive security subject matter experts, conducting full assessments with minimal supervision, contributing to methodology improvements, and acting as a point of contact for clients during engagements.
  • They are capable of scoping and planning a test in their domain, executing tests, and producing and communicating detailed reports with practical remediation advice.
  • Mid-level testers act as the technical client focal within engagements, leading technical execution for assigned projects.
  • Typical experience includes approximately 3–5 years of penetration testing experience, with a track record of completed pen tests and proven competencies.
  • Domain expertise requires mastery in at least one penetration testing domain, such as Web Application Security, with skills in advanced web vulnerabilities and tools like Burp Suite.
  • Technical skills include strong practical skills and tool usage, familiarity with various pen testing tools and techniques, and understanding manual testing techniques.
  • Soft skills involve solid communication and consulting skills, the ability to write thorough technical reports, and improved time management and project coordination skills.
  • Optional certifications may include OSCP, GWAPT, GPEN, OSWE, which reinforce domain expertise.

Requirements:

  • Candidates must have 3+ years of hands-on experience in web application penetration testing, with a strong understanding of the OWASP WSTG methodology.
  • They should apply structured testing techniques to assess authentication, session management, access control, input validation, error handling, and business logic.
  • Proficiency in using tools like Burp Suite Pro, OWASP ZAP, Postman, and custom scripts to execute and document each step of the WSTG is required.
  • Candidates must demonstrate proficiency in manual testing and exploit development, including crafted payloads for various vulnerabilities.
  • Understanding and testing authentication mechanisms, including OAuth, SAML, MFA implementations, and JWT, is essential.
  • They should perform access control testing across roles and privilege boundaries, identifying privilege escalation opportunities.
  • Validation of input validation and output encoding to uncover various flaws is necessary.
  • Candidates must assess session management implementations for potential issues.
  • Experience in client-side testing using browser dev tools and proxy-based inspection is required.
  • Understanding API-specific attack surfaces and testing them using dynamic and manual methods is necessary.
  • Comfort with code-assisted testing (grey-box) when source is available is expected.
  • Scripting skills in Python, Bash, or JavaScript to automate tasks are required.
  • Candidates should be able to test across various environments and maintain a methodical process following the OWASP WSTG.

Benefits:

  • Evolve Security offers a progressive, startup-like culture in a high-growth segment with minimal bureaucracy and rapid impact.
  • Employees engage in a fast-paced and challenging environment with opportunities to grow their talents.
  • Immersive cybersecurity and technical training is provided through Evolve Security Academy.
  • Competitive compensation, healthcare, 401(k) match, and flexible paid time off are included.
  • The position allows for hybrid/remote work with annual vacation reimbursement and parental leave.
  • Employees benefit from engaged leadership within the company.