Do you feel most at home with a browser and a proxy at your fingertips? Do you feel like scanners are just to catch the low hanging fruit and that the real findings are left for the human testers? Have you tested hundreds of applications and still want more? If this describes you, you’re in luck! We are looking for an experienced developer/application security tester to join our team of highly skilled penetration testers.
If you feel most at home with a scanner and manually following up on those vulnerabilities, this is NOT the kind of job we are offering.
- Three (3) years experience exclusively performing application security testing/code review or five (5) years mixed experience performing application security assessments, code review, and software development
- Advanced ability to detect, define, exploit, and remediate OWASP top 10 vulnerabilities without the use of a vulnerability scanner (a browser, a proxy, an editor, and YOU)
- Extensive experience/expertise in the use of an attack proxy (Burp, Zap, etc.)
- Experience in use of source code scanners (Veracode, Fortify, Sentinel, Checkmarx, AppScan Source, etc.) and the ability to manually validate findings/eliminate false positives
- Experience using web application vulnerability testing suites is expected (Netsparker, AppScan, WebInspect, Acunetix, etc.)
- Intermediate knowledge of Web Services technologies such as XML, JSON, SOAP, REST, AJAX, etc.
- Programming experience in two of the following languages: C#, Java, Python, Ruby
- Experience with Enterprise Java or .NET web application frameworks
- Database knowledge in MS SQL, MySQL, Oracle, etc.
All of our consultants are expected to treat everyone with whom they work with the utmost respect. Our clients are our partners and we are an extension of their team, whether that is for a single engagement or as part of a multi-year engagement. Every position at Lares is client-facing, so you need to be able to write reports, communicate ideas, answer questions, and otherwise interact with clients in a respectable manner. If you think that clients are dumb and that their code sucks, this is not the right place for you.
Nice to Have Skills
You should know your way around the common professional exploitation frameworks (e.g. Core Impact, Canvas, Metasploit) and have a strong working knowledge of exploitation outside of the typical “click to exploit” type of testing. We are not asking if you can scan something and only attempt an exploit that is in msf/Core/Canvas.
You should have full working knowledge of Kali Linux or similar testing distributions and most of the tools within. Experience with penetration testing as a consultant is preferred. We believe that writing reports is just as important as finding flaws, so you should be able to communicate professionally and write clear and concise reports.
Though not required, the following certifications would be considered nice to have:
CISSP, CISA, OSCP, OSWP, OSCE, OSEE, OSWE, any of the GIAC certs, CEH, LTP, etc.
Note: Lares will always value hands-on and demonstrable skills ahead of industry certifications.
- Greater Houston Area (Woodlands, TX)
- Denver, CO
- Atlanta, GA
- Remote – If you’re the right person, you can work anywhere in the mainland US that has fast internet and is near a major airport
If you are looking for a straight 9-5 job, you’re probably better off looking elsewhere. We work hard and play even harder. We expect you to live your life and enjoy it, but we also want you to have just as much fun working with the team and our list of clients. We are a family and treat each employee AND client as a member of that family.
We strongly support community involvement and our team members regularly speak at conferences around the world. Our consultants have time in their schedule dedicated to research and teaching/speaking. Yearly trips to conferences and classes are also encouraged.
Salary & Benefits
Salary is commensurate with experience and includes access to some of the best medical, dental, and vision coverage in the industry. Lares also provides an open vacation policy and values sick, personal wellness, and volunteer days across the organization.
If you’re still reading and interested, please send a resume and a note to firstname.lastname@example.org explaining why you think you would be a good fit.