Sr. Penetration Tester (Web Application)

Seattle, WA /
Technical Services (TS) – Technical Services /
About Us: 
Leviathan Security Group is a Risk Management and Information Security firm based in Seattle, WA. Over the last 15 years, we have built a strong team of cybersecurity professionals who have developed a reputation for in-depth penetration testing and deep technical assessments up-and-down the stack, from hardware to web applications. With clients ranging from startups to Fortune 50, our teams are retained to work on the most exciting, complex, and critical security projects with some of the top tech companies in the world. 
 
We exist to prevent the bad actors from doing bad things to good people by helping our clients identify and remediate security vulnerabilities within their environments.  
 
We are a consulting firm built by industry veterans who wanted to build a better consultancy for consultants. As a result, we have tried to build a team of people that you look forward to working with every day and try to provide you with the best work-life balance and benefits in the industry. While our HQ is based in Seattle, WA, our consultants enjoy the benefits of working remotely anywhere in the U.S. while doing meaningful and impactful work. We also pay the full insurance premium for your medical, dental, and vision coverage for you and your dependents and we do not claim ownership of non-client-owned intellectual property that you develop while at Leviathan.  
 
About the Job 
We are searching for experienced web application penetration testers who could go beyond the tools to find security vulnerabilities and bugs. We focus on an informed testing methodology; we look at a lot of source code, business logic, configurations, software designs & architecture to identify vulnerabilities. Most of our work right now is web app-centric for services hosted in cloud environments; but we don’t silo our teams so you may have the opportunity to flex into assessments of on-premises networks, IoT devices, and hardware if desired. If you also have this experience or are open to being coached & mentored in these areas, then this position might be for you. If you get excited about performing deep technical assessments, are naturally curious, and have a desire to learn new things then we want to talk with you! 

What You Will Do:

    • Discover & catalog vulnerabilities in customer environments in a timely manner 
    • Ability to handle the most difficult applications and engagements 
    • Ability to work in project teams by communicating with internal and external PMs and completing engagement within a given deadline.  
    • Recognizing a customer's fundamental organizational issues and tailoring suggested improvements accordingly 
    • Clearly explain security vulnerabilities, highlighting remediation solutions and prioritizing the vulnerabilities and bugs we find to both technical and non-technical audiences.  
    • Coach/mentor our associate-level consultants by helping them to develop their skills and being available to support their growth and any questions they have 

Technical Knowledge Needed:

    • Knowledge of web application vulnerabilities (OWASP Top 10 & Common Weakness Enumeration (CWE) lists) 
    • Knowledge of API technologies, how to fuzz inputs, and industry-standard practices for securing API technologies 
    • Knowledge of common web security testing tools (e.g., Burp, OWASP Zap) 
    • Have a high-level understanding of web protocols, such as HTTP/HTTPS 
    • General understanding of web application security concepts 
    • Understanding of industry-standard practices for cloud environments 
    • Explaining overall business impact to a non-technical audience 
    • Eagerness to learn new things, and expand your knowledge of cybersecurity topics 

Technical Experience Needed:

    • Previous security experience in more than one organization. Ideally, if you've conducted offensive security exercises, or as a consultant at another organization 
    • Experience doing security in a previous role, whether that be as a software engineer, system administrator, SOC analyst, worked as an internal offensive security team member, or a security consultant at another organization 
    • Experience scoping test environments and understanding the level of work required to complete testing 
    • Experience with using or testing of web technology frameworks 
    • Experience with threat modeling systems to diagnose potential security concerns in web application architectures 
    • Experience creating custom test harnesses for APIs or other custom technologies 
    • Demonstrable experience mentoring and leading teams on projects or engagements; unafraid to share your knowledge with others 
    • Understand and able to test for more complex vulnerabilities, such as business logic flaws, errors in processes, and race conditions 

Bonus Points (not required) if you have:

    • A college education  
    • Industry-leading certifications (OSWP, GWAPT, eWPT) 
    • Experience writing tools to enhance testing 
    • Experience with testing IoT and hardware devices 
    • Mobile device and application testing experience 
    • Familiarity with scripting or programming languages 
    • Reverse engineering or assembly language knowledge 
    • Familiarity with fuzzing 
    • Bug bounty or Capture-The-Flag (CTF) experience and rankings/reputation (if you have a DefCon CTF black badge, we want to know!) 
    • Fluency in languages other than English (e.g., French, Spanish, Mandarin) 

What’s In It for You?

    • We are a people-first organization  
    • We respect work-life balance. We do our best to prevent unnecessary overtime and burnout. We care about your well-being  
    • We pay for 100% of your medical insurance premiums for you and your dependents 
    • We also include short/long term disability, accidental death coverage, 401k & stock options 
    • We provide an annual budget for your ongoing training, education, and professional development 
    • We allocate dedicated time away from client work for your own professional growth and development (ask about our PDT plan) 
    • We have ongoing unique and engaging training opportunities (ask about our SOS Lightning and Brown Bag Talks) 
    • You will report to a technical manager and leadership team that understands the work you do and can provide technical guidance when needed 
    • Our friendly culture is built on trust, integrity, collaboration, and the desire to learn from and support each other