Web Application Penetration Tester - Major League Baseball New York, NY, USA Bookmark Share Print 1516 1 1

Listing Description

Apply here https://boards.greenhouse.io/h1912hjb/jobs/3537344

The Web Application Penetration Tester assists the Sr. Offensive Security Engineer with preparing, executing, and reporting on authorized penetration tests against web applications and related APIs. Help mature the web app security lifecycle of business-critical web applications used by millions of consumers and thousands of baseball employees.

• No cover letter required, indiciating you found this on NinjaJobs is a plus!
• Business casual environment, excellent secondary benefits for you and your loved ones.
• Fully remote, mostly remote or onsite in NYC are available depending on candidate preference.
• Information Security team has members across the United States.
• We do not require but can keep existing security clearance active.
• Vaccine requirement

RESPONSIBILITIES

• Apply and obey applicable statutes, laws, regulations, and internal policies, act with integrity and respect.
• Conduct authorized penetration testing on new and updated web applications. Verifying our web applications meet the OWASP Application Security Verification Standard (ASVS) by executing critical parts of the OWASP Web Security Testing Guide (WSTG)
• Routinely perform reverse engineering, static, dynamic, and interactive analysis when penetration testing various web applications and underlying frameworks and services.
• Perform code reviews and submit pull requests. Open and track Jira ticket lifecycles.
• Proactively analyze web security risk and propose actionable remediation steps. Effectively communicate results to different audience types.
• Examine real-world exploitation attempts, implement security improvements; apply virtual WAF patches, and tune advanced security rules per app.
• Communicate new developments, breakthroughs, challenges, and lessons learned to the team and internal and external customers. Collaborate with developers, conveying unbiased and technical knowledge through software requirements to enhance application development.
• Create playbooks for security testing, document security configurations, and research and communicate best practices to MLB and its Clubs.
• Assists in analysis and takedown of illegal streaming services/apps.
• Remain current with relevant OWASP/MITRE ATT&CK adversary tactics and techniques to identify threats during escalated security incidents. Stay apprised of relevant news and trends in the Information Security industry and share with the team.

WISHLIST

• We are looking for a skilled web developer. Professional training and certification in web security are a plus.
• Ability to execute tasks with high accuracy and thoroughness, maintain confidentiality while dealing with sensitive information.
• Completed a Master's or Bachelor's degree in Information Technology, Information Security, Cybersecurity, Computer Science, or a related field/equivalent knowledge and experience.
• Obtained relevant web security certifications. (e.g., SANS GWEB, Offensive Security OSWE, Pentester Academy, CREST, Portswigger, CompTIA, etc.) or can prove equal skills during an interview.
• Strong written and oral communications skills. Ability to explain technical concepts to audiences at different levels.
• Extensive knowledge of crypto, authentication, and authorization protocols and standards, including SSL/TLS, SAML, OAuth, JWT Tokens, is required. Same for security headers like Cross-origin resource sharing (CORS) and Content Security Policy (CSP).
• IAST tool experience is required. (e.g., Burp Suite Pro, ZAP) 
• Experience building software solutions using programming languages like Java, Node.JS, Go, and Python is a plus.
• A high degree of comfort interacting with/reverse engineering REST or GraphQL APIs is a plus. (e.g., Fiddler, Postman, Paw, Insomnia)
• Experience with API or mobile penetration testing is a plus.
• Experience as a highly technical information security consultant is a plus.