Offensive Security Engineer
Posted on 3/18/2023
Remote • Dorchester, Boston, MA, USA
Experience Level
Desired Skills
Microsoft Azure
Operating Systems
  • A passion for security and an attacker mindset
  • 3+ years of proven code review and penetration testing experience in both web applications and infrastructure; finding vulnerabilities and defining effective strategies for remediation and hardening
  • Experience testing and securing infrastructure on cloud providers such as AWS/Azure
  • Applied Secure SDLC knowledge
  • Experience with static and dynamic code analysis
  • Strong scripting and development skills in languages such as Java, JavaScript, Ruby, Python, etc
  • Security certifications such as OSCP, OSCE, OSAP, eCPPTv2, PNPT
  • Ability to write formal assessment reports and to explain vulnerabilities to different stakeholders
  • Knowledge and understanding of attack surfaces for enterprise systems and services
  • Solid understanding of TCP/UDP ports and protocols and web requests including POST, GET, HTTP headers, user agents, request parameters, cookies, etc
  • Solid understanding of the OAuth 2.0 authorization flow, JWT, and how to identify and exploit common vulnerabilities in web-based applications and network environments
  • Self-starter with the ability to work independently, interface with multiple teams, and willingness to overcome challenging problems while identifying opportunities for improvement
  • Experience threat modeling SaaS products, cloud infrastructure, RESTful microservices, etc
  • Significant hands-on penetration testing experience and offensive capabilities in numerous core competency areas including web applications, mobile applications, cloud infrastructure, etc
  • Experience with a variety of open-source and commercial testing tools in areas such as web interception proxies, packet capture, debugging, and API interaction
  • Understanding of hashing, encryption, and hash cracking technology
  • Experience developing exploits and adding functionality to open-source tools
  • Applied security research, cryptography, reverse engineering, and fuzzing experience
  • Additional certifications such as OSWE, GPEN, GXPN, CREST, OSEP, CRTO, or BSCP will be very desirable
  • Experience in vulnerability management within containerized environments
  • Strong SaaS and cloud security skills, with a focus on AWS
  • Understanding of common Microsoft Active Directory/Azure AD environment security and related vulnerabilities
  • AWS Certified Solutions Architect, AWS Certified Security Specialist or similar certifications preferred, CCSP or CISSP
  • Plan and start executing penetration tests against web applications and infrastructure; produce reports for stakeholders
  • Ensure the implementation of HITRUST controls within the scope of your responsibilities
  • Develop and maintain an organization's threat profile and threat models
  • Develop monthly threat landscape updates
  • Responsible for conducting and coordinating penetration testing and red teaming activities, researching and analyzing vulnerabilities, identifying relevant threats, developing corrective action recommendations, and summarizing and reporting results
  • Develop and refine methodologies to conduct Red Team operations successfully and consistently covering all areas of technology
  • Design and develop scripts, frameworks, tools, and the methods required for facilitating and executing complex scenarios, emulating malicious actor behavior aimed at avoiding detection
  • Perform manual penetration testing of web applications, APIs, and internal and external networks
  • Coordinate external penetration and web application scanning activities
  • Document in detail the results of assessments, audits, tests, and verification activities
  • Perform manual validation of vulnerabilities
  • Defining, maintaining, and implementing application security best practices to meet HITRUST and other security requirements
  • Providing guidance to Engineering teams during design reviews, including threat modeling
  • Develop and maintain the Information Security team's threat models/profiles
  • Coordinate and facilitate tabletop exercises
  • Evaluating the impact on the organization of current security advisories, publications, and trends
  • In partnership with the Security Architect, review web applications, source code, operating systems, and network security architectures to identify vulnerabilities and define effective strategies for remediation and hardening
  • Explaining and demonstrating vulnerabilities/findings to product stakeholders, providing remediation steps, and designing solution prototypes and/or implementing security enhancements
  • Participating in building and maturing security capabilities and operations
  • Participating as a key member of the Incident Response team and serve as a web application and network security SME focused on determining impact, root cause, and resolution associated when needed
  • Identifying, vetting, and coordinating third-party vendors in meeting third-party application security testing requirements
Healthcare analytics platform