Offensive Security Engineer (Remote) at Paylocity
This role will produce reports that document the risk of vulnerabilities identified by security assessments and penetration tests for each Product Team and our auditors. The Senior Offensive Security Engineer will also be responsible for training new Offensive Security Engineers on testing our web applications. This role will also play a key role in the Product Development Community of Practices instructing others on the practice of security testing and working directly with Product Teams to ensure that all team members are aware of Secure Development best-practices.
The below represents the primary responsibilities of the position. Other duties may be assigned as needed.
- Perform adversarial simulations which may include internet, intranet, wireless, web application, API, cloud, container security, social engineering, and physical penetration testing.
- Build appropriate test environments to enable effective security testing and help with automating security assessments and penetration tests where technically feasible
- Help evaluate, procure, Implement and tune dynamic application vulnerability scanning using tools like White Hat Sentinel, IBM AppScan, HP WebInspect, Netsparker, AppSpider, or Cenzic Hailstorm
- Help evaluate, Procure, Implement and tune static application vulnerability scanning using tools like HPE Fortify, Checkmarx, Veracode, Coverity, etc.
- Perform Open Source Intelligence Techniques (OSINT) to find unintended exposure of digital assets; leverage available resources to develop custom tools
- Identify and exploit security vulnerabilities in a wide array of systems in a variety of situations.
- Develop clear, detailed reports and recommendations based on concrete evidence from security assessments
- Engage and educate product teams on penetration testing procedures and application security best practices
- Develop, implement and update security best practices along with constantly changing threat landscape
- Debrief users and provide remediation strategy on findings.
- Work closely with Product Teams to help improve application security posture.
- Provide technical advice to associate team members on attacks and perform peer review of penetration test reports
- Communicate technical security concepts to technical and non-technical audiences including executives.
- Coordinate independent application penetration tests executed by external security firms
- Implement new ideas and innovations according to industry trends.
Education and Experience
- Minimum 3-5 years of experience performing adversarial simulations such as security assessments and penetration testing on cloud-based multi-tenant Software-as-a-Service (SaaS) applications
- Bachelor’s degree with a preference for computer science, information security, management information systems, or similar major or Offensive Security Credential such as OSCP, OSCE, OSWE, OSEE
- Information security certifications, GPEN, CEH, CISSP, GWAPT, CSSLP, CCSP, Pentest+ is a plus
- Experience working with independent security professionals performing penetration testing
- Experience pentesting native and hybrid mobile applications beyond the use of automated tools
- Experience interpreting results from Static Code Scanning tools
- Experience performing Web Application Security / Penetration Testing in accordance with OWASP standards such as ASVS, Testing Guide, Mobile & API Top 10
- Functional knowledge of Security Token Services, Federated Identity Providers, SAML 2.0, claims-based security and other SSO technologies is a plus
- Experience in leading a pentest engagement in a high-pressure environment
- Experience with articulating technical findings to an executive audience
- Experience with writing Burp plugins, opensource security tools, presenting at security conferences, writing technical research papers or publishing CVE is a plus
- Experience working with Payroll, HR, Time & Labor Management, and Online Benefits Enrollment applications is a plus
- Experience in performing Red Team Engagements is a plus
- Functional knowledge of container-based application infrastructure such as Kubernetes, Docker Swarm is a plus