As the Senior Penetration Testing Engineer, you will be a key player on the Capital Group (CG) AppSec/Penetration Testing team, a crucial part of CG's Information Technology Group under Information Security. In this role, you'll conduct comprehensive security assessments, including web application and network penetration tests, code reviews, security design reviews, and red/purple team assessments.
You'll identify security vulnerabilities across various systems through threat modeling, code reviews (Java, TypeScript/JavaScript, Python), and dynamic application testing. Additionally, you'll develop proof-of-concept exploits and deliver security assessments to key technology stakeholders, explaining risks and mitigations.
This hybrid role (in-office 3 days/week) can be based in Irvine, CA; San Antonio, TX; or New York, NY, depending on your location or preference.
Key Responsibilities
- Comprehensive Security Assessments: Perform in-depth penetration tests, infrastructure vulnerability assessments, and application security assessments to identify weaknesses and potential attack vectors.
- Execution of Tests/Assessments: Plan and execute penetration testing activities using a variety of tools (SAST, DAST, SCA tools) and techniques, including network scanning and web application testing.
- Analysis and Reporting: Analyze test results and prepare detailed reports documenting identified vulnerabilities, their potential impact, and recommended remediation actions.
- Stakeholder Collaboration: Work closely with cross-functional teams, including developers, system administrators, and business stakeholders, to prioritize and address security findings. Communicate effectively and empathetically with development teams by authoring clear, actionable guidance on writing secure code.
- Staying Current: Keep up to date with the latest security trends, vulnerabilities, and attack techniques to continuously improve testing methodologies and stay ahead of potential threats. Advocate for secure software development methodologies among development teams.
- Developing Tools: Develop automated proof-of-concepts and automated security tests by creating security testing tools.
- Red and Purple Team Assessments: Execute red and purple team tests of detective tooling, including EDR tools, security telemetry tools, and anti-virus software. Utilize knowledge of the MITRE ATT&CK Framework (Cloud, macOS, Windows, Linux), and AI-based software systems.
- Capture-the-Flag Competitions: Develop, organize, and lead Capture-the-Flag (CTF) competitions and actively participate in such events.
Qualifications
- Education: Bachelor's degree in computer science, a related field, or equivalent experience.
- Experience: Minimum of 5 years in Penetration Testing, Red Team, or Application Security.
- Technical Skills: Strong understanding of network security, TCP/IP, DNS, TLS, HTTP, IPSec, 802.11, etc. Experience with security protocols and technologies such as REST APIs, Burp Suite, ZAP, Kali Linux, Windows, macOS, Nmap, Metasploit, Powersploit, Lolbins, etc.
- Automation: Ability to automate tasks in Python, bash, Java, C/C#/C++, Rust, etc.
- Cloud Security: Strong understanding of attacks in AWS, Azure, GCP, OAuth, websockets, etc.
- Certifications: Professional certifications such as Offensive Security Certified Professional (OSCP), OffSec Certified Expert (OSCE), or GIAC Penetration Tester (GPEN) preferred.
- Vulnerability Knowledge: Strong knowledge of common security vulnerabilities, attack vectors, and exploitation techniques.
- Communication Skills: Excellent written and oral communication skills, with the ability to simplify and document complex technical details for both technical and non-technical audiences.
- Quick Learner: Proven ability to develop a deep understanding of systems and business risks quickly.
- Coaching Experience: Experience coaching and working with engineers to build security and privacy by design.
- Application Security: Experience performing application design, threat detection, incident response, patching, vulnerability remediation, secure development training, and user training.
- Frameworks: Familiarity with secure development frameworks (e.g., OWASP Top 10, SANS Top 25, Microsoft SDL).
- Security Technologies: Proficiency in bypassing and tuning security technologies (e.g., Anti-Malware, IDS, DLP, FIM, Firewalls, SIEM, MFA, Web Proxies, and WAF).
- Cloud Best Practices: Familiarity with AWS security best practices and Infrastructure-as-Code.
- Independence and Initiative: Ability to work independently, collaboratively, and take the initiative to drive security initiatives forward.
- Multi-tasking: Ability to manage multiple tasks and coordinate/delegate to achieve speedy resolutions to application security-related incidents globally.
- Analytical Skills: Strong analytical and problem-solving abilities, with a keen attention to detail.
Salary Information
- Southern California Base Salary Range: $148,045 - $236,872
- San Antonio Base Salary Range: $121,706 - $194,730
- New York Base Salary Range: $156,935 - $251,096
In addition to a highly competitive base salary, you will be eligible for an individual annual performance bonus, Capital's annual profitability bonus, and a retirement plan where Capital contributes 15% of your eligible earnings.
Benefits
- Health and Wellness: Health insurance, health reimbursement account, dental insurance, vision insurance, life insurance, short-term disability, long-term disability, HSA, fitness subsidies, mental health benefits.
- Parental Benefits: Birth parent or maternity leave, non-birth parent or paternity leave, fertility benefits, adoption assistance program, family support resources, on-site/nearby childcare, adoption leave.
- Work Flexibility: Flexible work hours, remote work opportunities, hybrid work opportunities.
- Office Life and Perks: Commuter benefits program, casual dress, snacks, holiday events.
- Vacation and Time Off: Paid vacation, paid holidays, personal/sick days, leave of absence.
- Financial and Retirement: 401(K), pension, performance bonus, relocation assistance, financial counseling.
- Professional Development: Tuition reimbursement, promote from within, mentor program, shadowing opportunities, access to online courses, internship program, work visa sponsorship, leadership training program, associate or rotational training program.
- Diversity and Inclusion: Diversity, equity, and inclusion program, employee resource groups (ERG), founder-led.
Equal Opportunity Employer
We are an equal opportunity employer and comply with all federal, state, and local laws that prohibit discrimination in all decisions about employment. Our policies prohibit unlawful discrimination based on race, religion, color, national origin, ancestry, sex (including gender and gender identity), pregnancy, childbirth and related medical conditions, age, physical or mental disability, medical condition, genetic information, marital status, sexual orientation, citizenship status, AIDS/HIV status, political activities or affiliations, military or veteran status, status as a victim of domestic violence, assault, or stalking, or any other characteristic protected by federal, state, or local law.
Apply Now
Client-provided location(s): San Antonio, TX, USA; New York, NY, USA; Irvine, CA, USA
Job ID: Capital_Group-JR3053
Employment Type: Full Time
Conclusion
As a Senior Penetration Testing Engineer at Capital Group, you will be at the forefront of securing critical information systems and applications against sophisticated cyber threats. This role offers a unique opportunity to utilize your technical expertise in penetration testing, threat modeling, and security assessments while collaborating with cross-functional teams to enhance the organization's overall security posture.
With competitive compensation, comprehensive benefits, and a commitment to professional development, Capital Group provides an environment where you can thrive and make a significant impact. If you are passionate about cybersecurity and eager to contribute to a dynamic team, we invite you to apply and join us in our mission to protect and secure our technology assets.
Take the next step in your career and help Capital Group stay ahead of emerging threats while ensuring the safety and integrity of our systems. Apply now and become a vital part of our dedicated and innovative Information Security team.
See Also:
- Quality Assurance Operations Auditor at HEALTHFIRST
- Senior Infrastructure Engineer at SIEMENS DIGITAL INDUSTRIES SOFTWARE
- AWS Platform Architect at SNOWFLAKE
Related
- Video Editor / Vidoegrapher / Media Production Crew Job Opening at WhereWeChat Online Services Limited
- How to Avoid Security Threats While Banking on Mobile Device
- Safeguarding Your Mobile Banking Experience: Top Security Tips to Protect Against Cyber Threats
- Mastercard's $250M Investment in SME Cybersecurity Amid Rising Threats
- Mercy Corps ICT and Software Development Assistant