Lead Application Penetration Tester (DC, MD, VA)

Job Location: On Site 4 days a week, One day a week Remote Job Overview We are looking for a Lead Application Penetration Tester with 5+ years of experience, strong communication and leadership skills, creativity, innovation, and the ability to manage and resolve complex issues within a dispersed organization. This role is ideal for someone with a passion for cybersecurity, a deep understanding of application security, and the ability to identify and mitigate vulnerabilities. The successful candidate will play a critical role in identifying security risks to applications and guiding our security testing teams in accurate and effective vulnerability security risk triage and remediation recommendations. As a lead, you will provide technical expertise as well as oversee a security testing team performing comprehensive security assessments of a cloud-native, microservices-based architecture. Your primary focus will be on web and mobile applications, static code analysis, cloud security testing, adversary emulation, and continuous security posture improvement. You will mentor junior team members and lead the development of security strategies and best practices. You will leverage your expertise in application security, utilizing tools such as SAST (Static Application Security Testing), DAST (Dynamic Application Security Testing), and SCA (Software Composition Analysis) to perform both static and dynamic source code reviews. Additionally, you will employ threat modeling and threat actor attack mapping to continually validate the effectiveness of security controls. The primary goal is to ensure that the security controls implemented by the organization are functioning as intended. By doing so, you will enhance the overall security defenses and collaborate with global development teams to support the ongoing security of the adopted application. Primary Responsibilities:

• Lead and mentor a team of security testers, providing guidance and support to ensure high-quality

security assessments.

• Conduct technical testing of web and mobile applications including but not limited to source code analysis, penetration testing, vulnerability scanning, adversary emulation, source code enabled pentesting, and validating security controls.
• Perform in-depth source code reviews, providing security consulting on findings.
• Implement static and dynamic security testing techniques.
• Leverage automated security testing and monitoring such as integrating CI/CD pipelines.
• Validate security controls around web resources and mobile applications and their backend web services.
• Triage, publish, and communicate findings and recommendations to stakeholders.
• Develop comprehensive and accurate reports and presentations for varied stakeholders.
• Utilize adversarial tradecraft and cyber threat intelligence to design, emulate, and execute assessments.
• Perform innovative research and promote an environment of innovation and knowledge sharing.
• Design and propose new penetration assessments based on prior findings and understanding of client infrastructure.
• Develop/modify custom tooling or processes to solve or improve identified assessment or program needs. Other program operational or project initiatives to be assigned.

Minimum Qualifications:

• 5+ years of experience performing application penetration tests, source code review or equivalent experience (i.e. 5+ years designing web or mobile applications, with less than 3 years of experience in penetration testing, red team emulation, or purple team operations)
• Comprehensive background in application, network, and system security
• Experience leading security assessments and security testers
• Experience with static code analysis and mobile application or web application security testing
• Experience with reading, writing, and editing code written in various programming languages, such as Perl, Python, Ruby, Bash, C/C++, C#, JavaScript, and Java
• Experience with security test tooling such as Burp Suite Pro, including identification and use of relevant plugins and extensions
• Proficiency in DAST/SAST/SCA tools like Black Duck, Coverity, Datadog, Chechmarx, Fortify Static Code Analyzer, OWASP ZAP, Acunetix, NetSparker, VeraCode, Plextrac, and Burp Suite.

Preferred Qualifications:

• 2+ years in a leadership role managing security assessments and teams.
• Holds at least one industry standard certification such as GWAPT, OSCP, GCIH, GPEN, GXPN, CRTE, CRTP, CEPT, GCPN, eWPT, CASE, GSSP-Java, and GSSP-.NET
• Active contributions to the security community such as research, public CVEs, bug-bounty recognitions, open-source projects, blogs, publications, conferences, etc.
• Experience with iOS and Android operating systems
• Experience with adversary emulation and incorporating cyber threat intelligence into testing requirements and emulations
• Experience with securing and testing API vulnerabilities
• Experience with conducting reverse engineering on mobile applications, including applications with anti-emulator and obfuscation protections
• Experience with Docker and Kubernetes security
• Experience or familiarity with cloud security practices or penetration tests (AWS, Azure, Oracle)

Benefits

Beyond a role, joining OnDefend means becoming part of a community dedicated to making a difference.

We offer

• Health Insurance: Comprehensive health insurance plans covering medical, dental, and vision.
• Health Insurance: Comprehensive health insurance plans covering medical, dental, and vision.
• 401(k) Matching: Company matches contributions to the 401(k) retirement plan up to a certain percentage.
• Generous Paid Time Off (PTO): Including vacation days, sick leave , and holidays to help you recharge and spend time with loved ones.
• Training and Development: Access to professional development programs , workshops, and certifications.
• Tuition Reimbursement: Financial support for further education and courses related to the job.
• Career Growth Opportunities: Clear career progression paths and opportunities for promotion.
• Inclusive Environment: A diverse and inclusive workplace where all employees feel valued.
• Team Building Activities: Regular team-building events and social gatherings.
• Technology and Tools: Access to the latest technology and tools needed to perform the job effectively.

Important Note: Applicants must be authorized to work in the United States on a full-time basis without the need for current or future employer sponsorship Apply tot his job Apply To this Job