Senior Security Engineer

Job Tittle - Security Test Engineer

• Perform Security Assessments:

  Conduct various types of security testing, including:

• Penetration Testing:

  Perform black-box, gray-box, and white-box penetration testing on web applications, APIs, mobile applications (iOS/Android), and network infrastructure.

• Vulnerability Assessments:

  Utilize automated and manual techniques to identify security weaknesses.

• Static Application Security Testing (SAST):

  Analyze source code to identify potential vulnerabilities.

• Dynamic Application Security Testing (DAST):

  Test applications in a running state to find vulnerabilities.

• Interactive Application Security Testing (IAST):

  Combine elements of SAST and DAST for comprehensive testing.

• Configuration Reviews:

  Assess the security posture of various systems and applications.

• Threat Modeling:

  Participate in threat modeling sessions to identify potential attack vectors and vulnerabilities early in the development lifecycle.

• Vulnerability Management:

• Document identified vulnerabilities clearly and concisely, including steps to reproduce, impact, and severity.
• Communicate findings to development teams and stakeholders effectively.
• Track and manage vulnerabilities through their lifecycle, from discovery to remediation and retesting.
• Provide guidance and recommendations to development teams on remediation strategies.

• Security Tooling & Automation:

• Utilize and configure security testing tools (e.g., Burp Suite, OWASP ZAP, Nessus, Acunetix, Fortify, Checkmarx, Metasploit).
• Develop and implement automated security tests and scripts to improve efficiency.
• Stay up-to-date with the latest security testing tools, techniques, and best practices.

• Collaboration & Communication:

• Collaborate closely with development, DevOps, QA, and product teams to integrate security into the SDLC (Secure SDLC).
• Educate and mentor developers on secure coding practices and common vulnerabilities.
• Participate in security code reviews.
• Present security findings and recommendations to technical and non-technical audiences.

• Research & Development:

• Stay informed about emerging security threats, attack vectors, and industry trends.
• Contribute to the improvement of security testing methodologies and processes.
• Participate in security community activities, conferences, and training.

Required Skills & Qualifications:

• Education:

  Bachelors degree in computer science, Information Security, or a related field (or equivalent practical experience).

• Experience:

• Junior Level:

  1-3 years of experience in security testing, penetration testing, or application security.

• Mid-Level:

  3-6 years of experience in security testing, penetration testing, or application security.

• Senior Level:

  6+ years of experience in security testing, leading penetration testing engagements, and architecting secure solutions.

• Technical Skills:

• Strong understanding of web application security vulnerabilities (e.g., OWASP Top 10, SANS Top 25).
• Proficiency with security testing tools (e.g., Burp Suite, OWASP ZAP, Nmap, Metasploit).
• Experience with various operating systems (Linux, Windows).
• Familiarity with scripting languages (e.g., Python, Ruby, PowerShell, Bash).
• Understanding of network protocols, firewalls, and intrusion detection/prevention systems.
• Knowledge of secure coding principles and common programming languages (e.g., Java, Python, C#, JavaScript, Node.js).
• Experience with cloud security (AWS, Azure, GCP) is a strong plus.
• Familiarity with CI/CD pipelines and integrating security into automated workflows.

• Soft Skills:

• Excellent analytical and problem-solving skills.
• Strong communication and interpersonal skills, with the ability to explain complex technical concepts to non-technical audiences.
• Ability to work independently and as part of a team.
• High attention to detail and a methodical approach to testing.
• Curiosity and a strong desire to learn and stay current with security trends.

Desired Certifications (Plus, but not required):

• OSCP (Offensive Security Certified Professional)
• OSWE (Offensive Security Web Expert)
• CEH (Certified Ethical Hacker)
• CompTIA Security+
• SANS certifications (e.g., GWEB, GWAPT, GPEN)
• CSSLP (Certified Secure Software Lifecycle Professional)