Connect with us

Web Application Security Test Engineer



September 27, 2018
Pleasanton, CA
Job Type


Title: Web Application Security Test Engineer

Location:   Pleasanton, CA

Duration: 1 year


Job Details:

• The scope of duties for the Web Application Security Test Engineer include, but is not limited to, the following:

• Acquire complete understanding of Client and information systems.

• Capture and define the security test requirements.

• Plan, research, and design robust security architecture test strategy for any IT project.

• Perform vulnerability testing, risk analysis, and security assessments.

• Research security standards, security systems and authentication protocols with Client .

• Apply testing methodologies and tools to complex applications for finding weaknesses and security vulnerabilities early in the SDLC process.

• Understanding of Application security principles, risks, attacks, OWASP security guidelines and best practices to perform SAST - Static Application Security Testing, DAST - Dynamic Application Security Testing and IAST - Interactive Application Security Testing.

• Develop test requirements for Web Applications Security Testing for all releases using automated tools and manual testing.

• Design test plans for DAST, OWASP Top 10 Most Critical Web Application Security Risks, public key infrastructures (PKIs), including use of certification authorities (CAs) and digital signatures.

• Proficiency in Applications Security testing tools like Acunetix Web Vulnerability Scanner / Burp Suite / Fortify WebInspect, Nessus, Nmap and other open source tools.

• Define, implement and maintain Corporate or Enterprise security policies and procedures

• Oversee security awareness programs and educational efforts

• Respond immediately to security-related incidents and provide a thorough post-event analysis.

• Define all entry points to the system, such as: files, sockets, hypertext transfer protocol (HTTP) requests, named pipes, pluggable activities, protocol handlers, malicious server responses and so on.

Analyze potential threats and risk analysis based on the entry points defined. Example of threats and the methods to analyze them.  

Technical and Demonstrable Skills

The Consultant resource(s) shall possess most of the following skills:

• At least 5 years’ experience doing web application security testing.

• Exploit security flaws and vulnerabilities with attack simulations on multiple projects working against specific client focused scopes of work.

• Ability to flow from black box to gray box to white box tests dependent on client needs.

• Ability to test a variety of client form factors and technologies based on scopes of work

• Ability to solve complex technical problems and articulate to non-IT personnel.

• Ability to effectively provide technical risk assessment of technologies in networks, applications, wireless, social engineering, code reviews and war dialing.

• Ability to perform vulnerability assessments and penetration testing, utilizing tools commercial and open source tools.

• Perform, review and analyze security vulnerability data to identify applicability and false positives.

• Research and develop testing tools, techniques, and process improvements.

• Create risk based security code reviews (static & dynamic).

• Conduct penetration testing in line with Open Web application Security project

• Mentor junior engineers to build their skills and contribution levels

• Write technical reports that include suggested resolution for identified problem areas and perform operational risk assessment.

• Support company through the testing and evaluation of new technologies and security controls.

• Assist and support Security Test Analysts as they perform vulnerability, network and network security assessments.

• May require the performance of other essential functions depending upon work location or assignment.

• Experience with dev ops and SIEM tools (ie. Chef, Splunk and Vagrant)

• Experience with scripting languages (e.g. python, PERL, SQL) a plus

• Ability to perform below tasks:

• Dynamic Application Security Testing (DAST)

• Static Application Security Testing (SAST)

• Interactive Application Security Testing (IAST)

• Web Application Penetration Testing

• Product Security Testing

• Cloud Application Security Testing

• Web Services Security Testing

• Security Code Review

• Network Security Assessment

• Security Testing Tools: IBM Appscan, Burp Suite, Tamper Data, Live http Headers, HP Fortify, VeraCode, OWASP Top 10, N-Stealth, Hailstorm, Paros, SANS Top 20, Acunetix, Nessus


The Consultant resource(s) shall be knowledgeable in most of the following areas:

• Knowledge and understanding of basic information security principles (eg. OWASP Top Ten)

• Knowledge of security best practice guidelines (ISO 17799, NIST, etc.)

• Relevant professional experience including working knowledge of the Penetration Testing.

• OSI Layers and application protocols

• TCP/IP networking including IP classes, subnets, multicast, NAT

• WINS, DNS, and DHCP, Network troubleshooting

• Microsoft OS and Server technologies

• Remote access methods

• Backup and disaster recovery methodologies

• Patch management technologies and processes

• Wireless protocols and services

• Network analysis tools

• Familiarity with UNIX a plus

• Application Security and IS certifications is preferred

• GIAC Certified Web Application Defender (GWEB)

• Offensive Security Web Expert (OSWE)


• Preferred Certifications:    

• GIAC Certified Web Application Defender (GWEB)            

• Offensive Security Web Expert (OSWE)

Rose International is an Equal Opportunity Employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, age, sex, sexual orientation, gender (expression or identity), national origin, arrest and conviction records, disability, veteran status or any other characteristic protected by law. Positions located in San Francisco and Los Angeles, California will be administered in accordance with their respective Fair Chance Ordinances.

Rose International has an official agreement (ID #132522), effective June 30, 2008, with the U.S. Department of Homeland Security, U.S. Citizenship and Immigration Services, Employment Verification Program (E-Verify). (Posting required by OCGA 13/10-91.)

Only registered members can apply for jobs.

Related Jobs

October 19, 2018


Who approved never get Hulu as an ad slogan?

I’ve seen some DUMB ad campaigns in my life but Never Get Hulu is by far the worst one I have ever seen in my life.



Never get Hulu
Continue Reading

Digital Marketing Training

13 Steps To Building A Profitable High Traffic Technology Blog – Part Three – the baby business plan

This is part three of my blueprint that will help you begin the process of building a high traffic profitable technology blog.



Baby business plan
Continue Reading


A Failure of imagination – Apple release new iPhone XR iPhone XS and iPhone XS Max

Apple have taken the easy way out, avoided innovation and are dependent on incremental upgrades



Apple iPhone XS
Continue Reading



Digital Marketing Job Board