Web Application Security Consultant - Penetration Tester
Rapid7 is a leading provider of security data and analytics solutions that enable organizations to implement an active, analytics-driven approach to cyber security. We combine our extensive experience in security data and analytics and deep insight into attacker behaviors and techniques to make sense of the wealth of data available to organizations about their IT environments and users. Our solutions empower organizations to prevent attacks by providing visibility into vulnerabilities and to rapidly detect compromises, respond to breaches, and correct the underlying causes of attacks. Rapid7 is trusted by more than 8,400 organizations across 120 countries, including 52% of the Fortune 1000. To learn more about Rapid7 or get involved in our threat research, visit www.rapid7.com.
Job Overview
Do you enjoy hacking web applications, APIs and mobile applications? Are you well versed in HTTP(S) protocols, their implemented and use? Application stacks? How do you feel about attacks against SAML? As a penetration tester on the SecOpsServices team at Rapid7, you will help our clients improve their security posture through your technical skills and knowledge of defense strategies.
Our clients often present us with unique security challenges from a testing perspective. Likewise, we work with a wide variety of technology platforms and protocols. Beyond providing services to customers, you are encouraged to perform research and speak at security conferences.
But wait, we're not done yet. You will be working at Rapid7! We have some cool products and ideas and we're enthusiastic about them. Why wouldn't you want to be part of that? Send us your resume and let's talk.
Essential Responsibilities
You will be called on to conduct and lead technical assessments of web application technologies, including but not limited to:
Test susceptibility to SQL injections, Cross-Site Scripting, External Entity injections, and other input injection attacks
Review session management controls, including testing for Cross-Site Request Forgery, to ensure that web applications maintain distinct user sessions
Conduct code reviews to assess the security posture of the code and use of secure coding standards
Utilize manual and automated code analysis to assess the quality and security of source code
Conduct assessments of web applications, network infrastructures, servers, endpoints, databases, client-side applications and tools, and APIs
Perform threat analyses, including identifying critical organization assets and services, relevant threat actors, and likely threat events
Perform pre-assessment research and preparation including reconnaissance, documentation and configuration review, and customer interviews
Validate security weaknesses, research known attacks, develop custom tools and exploits, etc.
Reverse engineer thick clients, mobile apps, and proprietary binaries
Document security weaknesses, including steps to reproduce
Analyze security findings, including risk analysis and root cause analysis
Research and propose practical remediation
Lead application security related project including client staff augmentation in order to help build security into the software development lifecycle and application design reviews.
Beyond delivering these services, as a consultant you will:
Grow to support all security practice offerings in a pre and post-sales role
Meet professional practice standards and demonstrate exceptional skill in core service areas
Develop and maintain positive relationships with clients
Participate in scoping calls with prospective clients as needed
Execute delivery work that exceeds expectations
Understand the client's business and needs
Participating in industry conferences and professional organizations
Creating additional value for clients through continual insights and consultative advice based on experience with the client, their industry, established standards and leading practices
Job Requirements
5+ years in an active technical security role
Strong knowledge of the following:
Modern penetration testing tools and methods
Web-based application security concepts
Deep knowledge of the OWASP Top Ten
Windows/Linux/UNIX internals as they relate to deployed web technologies
Internet protocol suite
Experience using interpreted languages (Ruby, Python, PHP, etc.)
Knowledge of compiled languages (Java, C, C++, Assembly, etc.)
Strong written and verbal skills
Be able to work and interact with clients of various backgrounds
Maintain positive client relationships and feedback
Be comfortable explaining findings and recommendations to technical and non-technical audiences
Knowledge of common regulatory structures and obligations
Knowledge of common I.T. governance guidance
Job Plusses:
Previous technical security consulting experience
Fundamental or advanced understanding of web stacks and applications
Master's degree or foreign equivalent in Engineering, Computer Science, MIS, CIS or related field
Certifications such as GWAPT, OSWE, GPEN, GXPN, GMOB, OSCP, OSCE