Job Description
We are seeking a talented and motivated Application Penetration Tester to join our growing security team. In this role,
you will be responsible for identifying and exploiting vulnerabilities in web applications, APIs, and mobile applications.
You will work closely with developers and security engineers to remediate vulnerabilities and improve the overall security posture of our applications.
Communication and collaboration are paramount to this role, the application penetration tester will be working closely with internal stakeholders on a continuous basis,
providing application security testing and secure application design and implementation guidance.
The successful candidate will be able to demonstrate recent experience undertaking comprehensive application penetration testing using manual and automated testing techniques.
The successful candidate will join the central architecture and design team that comprises enterprise, security, and technical architecture disciplines as well as including the application penetration testing team.
Responsibilities will include:
· Plan and execute penetration testing engagements for web applications, APIs, mobile applications, thick clients, infrastructure and cloud penetration testing.
· Identify and exploit vulnerabilities in applications using manual and automated testing techniques.
· Document findings in detail, including proof-of-concept exploits and recommendations for remediation and report writing skills.
· Collaborate with development and security teams to remediate vulnerabilities and improve application security.
· Stay up-to-date on the latest hacking techniques, vulnerabilities, and security tools.
· Participate in security code reviews and provide guidance on secure coding practices.
· May assist with developing and maintaining internal security tools and processes.
Experience
Essential
● Experience using a formal application penetration testing methodology such as Open-Source Security Testing Methodology Manual (OSSTMM) or Penetration Testing Execution Standard (PTES).
● Experience using Kali Linux including bundled penetration testing tools (Nmap, Wireshark, OWASP ZAP, Sqlmap, Metasploit).
● Experience using Burp Suite for application penetration testing.
● Knowledge of scripting and programming languages (e.g., Python, Ruby, Bash, Powershell) for custom tool development and automation.
● Familiarity with various operating systems and network structures, including client/server, Unix/Linux systems, Mac OS X, VMware/Xen, Virtual Box and cloud technologies such as AWS, Azure, or Google Cloud and Active Directory.
● Understanding of common application issues and remediation techniques, OWASP Top 10.
● Understanding of secure development practices within a secure software development lifecycle, experience of Waterfall, Agile and DevOps / DevSecOps practices.
● Hold at least one recognised application penetration testing certification, e.g. Certified Ethical Hacker (CEH), Offensive Security Certified Professional (OSCP), GIAC Penetration Tester (GPEN), GIAC Web Application Penetration Tester (GWAPT), CompTIA PenTest+.
● Can produce high quality documentation including test reports and best practice guidance.
● Good Interpersonal, written and verbal communication skills.
Desirable
· Working knowledge of threat modelling methodologies to conduct threat-modelling against new applications and services.
● Familiarity with compliance & security standards across the enterprise IT landscape such as ISO 27001 and NCSC Cyber Essentials, as well industry security requirements such as NIST and CIS.
