Penetration Testing

Role: Penetration Testing / Security Test Engineer

Location: Santa Clara CA

Role Summary
The Application Security & Penetration Testing Specialist will be responsible for conducting security assessments across web mobile thick client and instrumented applications. The role includes vulnerability analysis criticality-based reporting and close collaboration with development application and product teams to support remediation. The position also provides platform administration and analytics support for SAST DAST SCA and vulnerability management tools along with cloud and infrastructure assistance as required.

Key Responsibilities
Instrument / Network Penetration Testing
Conduct security testing of instrumented or connected applications including exposed network services and interfaces
Use Nessus / for vulnerability scanning and configuration assessment
Analyse and prioritize vulnerabilities based on criticality
Prepare detailed vulnerability reports and support application teams during remediation

Web Application Penetration Testing
Perform security scanning and manual penetration testing of in-scope web applications
Identify analyze classify and prioritize vulnerabilities based on agreed standards such as:
o OWASP Top 10
o CVSS / CVS
o Organization-specific security standards
Produce criticality-based vulnerability reports with clear remediation guidance
Provide clarification and consultation support to Application Development and Asset Owner teams during vulnerability remediation

Mobile Application Penetration Testing
Conduct security testing of in-scope mobile applications (Android/iOS)
Analyze identified vulnerabilities and prioritize them based on severity and business risk
Generate criticality-based reports for stakeholders
Support application teams with remediation-related clarifications

Thick Client Penetration Testing
Perform security assessments of thick client applications
Analyze vulnerabilities related to client-server communication authentication authorization and data protection
Prioritize findings and prepare severity-based reports
Provide consultation support to development and application teams

Additional Security Platform & Tooling Support
SAST (Static Application Security Testing)
Provide operational and administrative support for:
o Coverity on Polaris
o Polaris
o GitHub Application Security
Manage user access configurations and scan operations
Import SAST data into Power BI for:
o Security trend analysis
o Risk dashboards
Generate management and operational reports from Power BI

DAST (Dynamic Application Security Testing)
Provide support for WhiteHat DAST tool operations
Administer tool configurations and access
Import scan data into Power BI for analytics and reporting
Generate vulnerability trend and compliance reports

SCA (Software Composition Analysis)
Provide support for Black Duck SCA
Administer tool usage scan scheduling and configurations
Import vulnerability and license risk data into Power BI
Generate trend risk and compliance reports

Vulnerability Management (Tenable)
Provide support for / Nessus
Run vulnerability scans for product teams as required
Provide tool administration configuration and access management
Import scan data into Power BI
Generate vulnerability posture and trend reports

Required Skills & Competencies
Technical Skills
Strong knowledge of:
o Web Mobile Thick Client and Network Security
o OWASP Top 10 CVSS secure coding concepts
Hands-on experience with:
o Nessus /
o WhiteHat DAST
o Black Duck SCA
o Coverity / Polaris / GitHub Security
o Power BI (data import analysis dashboard creation)
Understanding of AWS Cloud containers and infrastructure security
Exposure to Jira administration
Soft Skills
Strong analytical and problem-solving skills
Ability to communicate security risks clearly to technical and non-technical stakeholders
Collaborative mindset with application development and product teams
Good documentation and reporting skills

Preferred Qualifications
Certifications such as:
o CEH OSCP GWAPT AWS Security Specialty (preferred)
Experience in regulated or enterprise environments
Familiarity with DevSecOps practices and CI/CD security integration