Overview

We are seeking a skilled and motivated Application Security Engineer to strengthen our cybersecurity team and cater to the evolving needs of our federal customer. As a technical expert in mobile application and API security, you will play a crucial role in identifying vulnerabilities within these systems. Your work will contribute to enhancing the overall security posture of our organization.

Contributions

• Mobile Application and API Security Testing: Employ your expertise in mobile application and API security to conduct comprehensive penetration testing exercises. Utilize industry-standard tools and methodologies to identify potential cyber weaknesses in these systems.
• Risk Evaluation and Reporting: Utilize a risk-based approach to evaluate the findings from your penetration testing activities. Craft detailed and insightful reports outlining vulnerabilities, potential exploits, and recommended remediation strategies.
• Collaboration and Technical Assessment: Collaborate closely with cross-functional teams, including system administrators and Information System Security Officers (ISSOs). Offer technical assessments of mobile applications and APIs across all layers of the technology stack. While deep expertise in all domains is not mandatory, a solid understanding of how different layers interact is crucial.
• Engagement with Stakeholders: Engage with system admin teams and ISSOs to discuss your findings and ensure a clear understanding of identified vulnerabilities. Your communication skills will be essential in verifying the adequacy of remediation efforts, supporting system administrators in addressing security weaknesses effectively.
• Scenario Design and Testing Strategy: Leverage your knowledge of tactics, techniques, and procedures (TTPs) used by threat actors to design relevant testing scenarios. Your ability to simulate real-world threats will contribute to robust security testing strategies.
• Continuous Process Improvement: Actively contribute to the development of standardized operating procedures (SOPs) for mobile application and API penetration testing. Your input will be valuable in refining and enhancing the efficiency of our testing processes.
• Knowledge Expansion: Stay up to date with the latest trends and developments in mobile application and API security. Continuously build upon your expertise to adapt to emerging threats and evolving technologies.

Qualifications

• Solid experience in mobile application and API security testing, including hands-on penetration testing.
• U.S. Citizen
• Familiarity with industry-standard tools and methodologies for mobile application and API security testing.
• Strong analytical skills to assess risks and vulnerabilities in complex systems.Excellent written and verbal communication skills for preparing comprehensive reports and engaging with stakeholders.
• Collaborative attitude and ability to work within a team environment.
• Relevant certifications such as Certified Mobile Application Security Tester (CMAST) or similar credentials are a plus.
• Citizenship: Due to the sensitive nature of our work with federal clients, this position requires U.S. citizenship.
• Government Security Clearance: The ability to obtain and maintain a U.S. government security clearance is essential for this role. Your eligibility to access classified information and work on secure projects is a fundamental requirement.
• Educational Background: A Bachelor's degree in an IT-related field is preferred. However, if you hold a Bachelor's degree in a non-IT field, we require a minimum of 7 years of relevant IT work experience to demonstrate your technical expertise.
• Mobile Application and API Security Testing Experience: A minimum of 5 years of hands-on experience in conducting mobile application and API security testing is required. Your deep understanding of mobile and API vulnerabilities, exploits, and countermeasures is crucial to the success of this role.
• Hardening and Remediation: Demonstrated expertise in system hardening and remediation is necessary to effectively guide system administrators in addressing vulnerabilities and implementing security controls.
• Communication Skills: Excellent written and verbal communication skills are indispensable. You will be responsible for preparing detailed reports and effectively communicating findings and remediation guidance to both technical and non-technical stakeholders.
• Collaborative Mindset: The ability to work collaboratively within a team environment is essential. You will engage with various teams, including system administrators and ISSOs, to ensure a holistic approach to security.
• Possesses at least one professional certification relevant to the technical service provided. Maintain a certification relevant to the product being deployed and/or maintained. Professional certifications must be approved by the FPM or FDPM.

Preferred Skills:

• Proficient with Mobile Application and API Penetration Testing Tools: Possess 3 years of hands-on experience using standard penetration testing suites tailored for mobile applications and APIs, such as Metasploit, nmap, burp suite, and tools within Kali Linux. Your proficiency in these tools will play a key role in identifying vulnerabilities unique to mobile and API environments.
• Effective Senior Leadership Briefing: Demonstrate a track record of effectively briefing senior leadership on technical matters related to mobile application and API security. With 2 years of experience in this capacity, your ability to translate complex security findings into actionable insights will be invaluable.
• Strong Communication Skills: Leverage your excellent written and verbal communication skills to create comprehensive reports, detailed documentation, and deliver clear presentations. Your communication prowess will facilitate collaboration and understanding among stakeholders from various technical backgrounds.
• Flexibility for After-Hours Work: Occasionally, there is the possibility to work after-hours as necessary to accommodate testing requirements and minimize operational impact.
• Active Security Research: Showcase your commitment to staying current with emerging technology trends by actively engaging in security research. Your ability to anticipate new threats and vulnerabilities will contribute to proactive security measures.
• Familiarity with MITRE ATT&CK Framework: Demonstrate familiarity with the MITRE ATT&CK framework, showcasing your understanding of adversary tactics, techniques, and procedures. This knowledge will guide your testing scenarios and ensure comprehensive assessments.
• Collaboration with ISSOs: Highlight your capability to work closely with Information System Security Officers (ISSOs) to align findings with associated security controls. This collaboration ensures that identified vulnerabilities are effectively mitigated.
• Cloud Technology Expertise: Demonstrate a working knowledge of various enterprise technology stacks used to build applications in the cloud. Your understanding of cloud infrastructure will enable you to assess security aspects unique to cloud-based mobile applications and APIs.
• Cloud Platform Experience: Possess working knowledge and practical experience in security testing within cloud platforms, particularly AWS, Azure, and Google Clouds. Your familiarity with these environments will be crucial for assessing the security of cloud-hosted mobile applications and APIs.

About steampunk

Steampunk is a Change Agent in the Federal contracting industry, bringing new thinking to clients in the Homeland, Federal Civilian, Health and DoD sectors. Through our Human-Centered delivery methodology, we are fundamentally changing the expectations our Federal clients have for true shared accountability in solving their toughest mission challenges. As an employee owned company, we focus on investing in our employees to enable them to do the greatest work of their careers – and rewarding them for outstanding contributions to our growth. If you want to learn more about our story, visit http://www.steampunk.com.

We are an equal opportunity employer and all qualified applicants will receive consideration for employment without regard to race, color, religion, sex, national origin, disability status, protected veteran status, or any other characteristic protected by law. Steampunk participates in the E-Verify program.