Principal, Attack Surface Management - Pen Testing

Act as a subject matter expert for Application Security with a focus on penetration testing.

Operate and mature the penetration testing program with a combination of internal talent and external providers. Collaborate within the Application Security space for other team functions like SAST, DAST, Open Source Analysis/Security and threat modeling. Ability to guide application teams through the lifecycle of selecting a provider, execution, test-results, remediation, periodic follow-up and risk treatments.

In addition to technical ability, an awareness of broader risk landscape and the ability to understand and improve SSDLC and related processes is expected. Must have the ability to influence and collaborate with various teams to further security goals and objectives.

Since we are geographically distributed, the capability and willingness to function with people across locations is expected.

• A background in security architecture and application security concepts like web-app security, OWASP Top Ten and familiarity with exploitation patterns and mitigations are required.
• Experience in pen testing toolsets such as Kali & BurpSuite are required.
• Experience managing external consultants and service providers for security functions is required.
• Recent experience in leading or managing pen-testing teams is preferred.
• Past experience in SAST, DAST, threat modeling and open source scanning is preferred.
• Experience in secure development in a cloud environment is preferred.
• Background in application development, such as building apps in at least one language in recent history, is preferred.
• Familiarity with the vocabulary and practices of technology risk management is preferred.
• OSCP / GXPN certification is preferred.
• Experience using ServiceNow is preferred.
• Experience in financial or other heavily regulated industry is preferred.
• Familiarity with Cybersecurity industry

A College or University degree and/or relevant work experience is required

12+ years of overall experience in information security and technology development, including 4+ years in penetration testing.