Junior Application Security Penetration Tester (1)

ROLE & RESPONSIBILITIES:

• As a Junior Application Security Penetration Tester, your primary mission is to help safeguard our digital assets by identifying and mitigating vulnerabilities in our web applications and RESTful APIs. You will work closely with development and security teams to ensure our software is resilient against modern cyber threats.
• Perform hands-on security evaluations of web applications and APIs, guided by industry-standard frameworks such as OWASP Top 10 and SANS CWE Top 25.
• Simulate real-world attack scenarios to uncover potential weaknesses in application logic and implementation.
• Conduct both manual and automated reviews of source code, primarily in Java and Scala, to detect security flaws.
• Use static and dynamic analysis techniques to identify issues early in the development lifecycle.
• Detect and document common vulnerabilities including Cross-Site Scripting (XSS), SQL Injection, Cross-Site Request Forgery (CSRF), and Privilege Escalation.
• Analyze the root causes of these vulnerabilities and assess their potential impact.
• Provide clear, actionable recommendations to developers and stakeholders for fixing identified vulnerabilities.
• Support teams in implementing secure coding practices and validating fixes.
• Leverage tools such as BurpSuite Pro for dynamic application testing and Postman or Bruno for API security testing.
• Stay updated with the latest tools and techniques in the penetration testing landscape.
• Prepare detailed, well-structured reports that outline findings, risk levels, and suggested mitigations.
• Communicate technical issues in a way that is understandable to both technical and non-technical audiences.
• Work closely with software engineers, architects, and QA teams to integrate security into the software development lifecycle.
• Participate in discussions to align security requirements with business goals.
• Contribute to architectural and design reviews from a security perspective.
• Help shape secure design patterns and influence secure software architecture decisions.

REQUIRED EXPERIENCE: 

• Strong understanding of OWASP Top 10 and SANS 25
• Proficiency in vulnerability assessment and code review techniques
• Experience with static, dynamic, and penetration testing of web applications and APIs
• Familiarity with secure coding practices and DevSecOps principles
• Ability to analyze and interpret scan reports from SAST, DAST, and SCA tools
• Basic scripting skills for tool integration and automation
• Excellent communication skills for report writing and stakeholder interactions
• 2-3 years of experience in application security, including:
• Secure code review (Scala, Java, JavaScript, Spring Framework)
• Static and Dynamic Analysis Security Testing (SAST and DAST)
• Manual penetration testing of Web Applications and REST APIs
• Working knowledge of CI/CD processes, AWS security principles, Jenkins, and GitHub
• Proven ability to work independently and as a team member
• Strong organizational, attention-to-detail, multi-tasking, and time-management skills
• Candidates must be able to obtain and maintain a Public Trust clearance
• Candidates must have lived in the United States 3 out of the past 5 year

PREFERRED EXPERIENCE:

• N/A

EDUCATION & CERTIFICATIONS:

• Desired Certifications: GPEN, GWAPT, OSCP, or CompTIA PenTest+ (not required but beneficial)
• A bachelor’s degree in computer science, Information Technology, or a related field is required, or an equivalent combination of education and experience.