Security Engineer - Penetration Testing- Cybersecurity

Costco IT is responsible for the technical future of Costco Wholesale, the third largest retailer in the world with wholesale operations in fourteen countries. Despite our size and explosive international expansion, we continue to provide a family, employee centric atmosphere in which our employees thrive and succeed.

This is an environment unlike anything in the high-tech world and the secret of Costco's success is its culture. The value Costco puts on its employees is well documented in articles from a variety of publishers including Bloomberg and Forbes. Our employees and our members come FIRST. Costco is well known for its generosity and community service and has won many awards for its philanthropy. The company joins with its employees to take an active role in volunteering by sponsoring many opportunities to help others.

Come join the Costco Wholesale IT family. Costco IT is a dynamic, fast-paced environment, working through exciting transformation efforts. We are building the next generation retail environment where you will be surrounded by dedicated and highly professional employees.

Security Engineers develop, design, implement, and integrate security systems used to safeguard enterprise assets against cyber-attack. Security Engineers drive innovation, influence delivery, and maximize performance. They deliver high quality artifacts, develop and run security tests, and continuously tune security tools for optimization. Security Engineers identify gaps and inefficiencies and work with the business to implement solutions based on their requirements.

The role of each Information Security team member is to support the overarching values and business goals of Costco Wholesale, including meeting legal, ethical, and regulatory obligations; protecting member privacy; and maintaining a security technology environment for our operations.

Penetration testers provide consultative services, working with internal business team members to conduct service engagements for security testing. Penetration testers perform reviews of system architecture documentation; create scopes of work for engagements, conduct security testing engagements on scoped assets, systems, processes, and/or employees; mentor team members.

If you want to be a part of one of the worldwideBEST companies "to work for", simply apply and let your career be reimagined.

ROLE

• Provides security and technical expertise to support the development of security objects to satisfy business requirements.
• Analyzes and administers security policies to control physical and virtual system access.
• Identifies and investigates security issues and develops security solutions that address compliance requirements that can/do impact security.
• Identifies, develops, and implements mechanisms to detect security incidents in order to enhance compliance and support of the security standards and procedures.
• Assesses business role requirements, reviews authorization roles, and supports authorizations.
• Demonstrates a comprehensive skill set with testing authorizations for multiple environments and coordinates testing with business/technical users.
• Validates system configurations to ensure the safety of information systems assets and protects information systems from intentional or inadvertent access or destruction.
• Implements best practice when applying knowledge of information systems security standards/practices (e.g.access control and system hardening, system audit and log file monitoring, security policies, and incident handling).
• Designs and coordinates activities/engagements with other departments (loss prevention, legal, networking, etc).
• Identifies security gaps that expose Costco to potential exploit and develop short- and long-term prioritized remediation to address those gaps.
• Develops and executes security controls, defenses, and countermeasures to intercept and prevent internal/external data infiltrations.
• Determines strategy and protocol for network behavior, analysis techniques, and tool implementation.
• Identifies and resolves problems often anticipating issues before they occur or before they grow; develops and evaluates options; and implements solutions that support the business.
• Provides subject matter expertise in systems security policies, standards/practices, protocols, and technologies.
• Configures, deploys, maintains, and supports security tools.
• Protects confidentiality, integrity, and availability of information from being disclosed to unauthorized parties.
• Creates dashboards, configures alerts, implements and supports security software platforms, and monitors tools/apps.
• Identifies opportunities for streamlining, and increasing effectiveness through continuous process improvement.
• Implements practices, processes, and procedures consistent with Costco's information security policy and IT standards.
• Develops and documents security events and incident handling procedures into Playbooks.
• Ensures that incident documentation is comprehensive, accurate, and complete.
• Triages, prioritizes, investigates, and coordinates security events and incident handling activities.
• Collaborates with business partners, project teams, and team members to build secure solutions that protects data and enables the business with tools and processes that make sense and adapt to changing business needs both on-premises and in the cloud.
• Works with Compliance, Internal Audit, and Business teams to identify, test and analyze risks.
• Works with stakeholders to provide security engagements to test their systems and business requirements.
• Assumes a leadership role in advocating internally and externally for compliance to security measures to protect cloud-based applications and environments.
• Documents security findings from penetration testing engagements and reports the risks of those findings to the business owner and management.
• Finds vulnerabilities in various spaces such as web applications, native applications, database systems, authentication flows, distributed systems and designs, and protocols. Pulls from a flexible knowledgebase of topics such as OWASP, memory corruption, privilege escalation, networking, and etc. to find both common and uncommon issues.
• Researches and remains up to date with emerging threats and Threat Emulation methodologies.
• Provides actionable "blue team" defensive guidance and code-level fix recommendations to Engineering teams.
• Communicates Information Security matters to Executives, Auditors, end-users, and Engineers, using appropriate language, examples, and tone.
• Works collaboratively to solve problems with groups, find win/win solutions, and celebrate successes.
• Works with Incident Response team as necessary to consult on discovered security incidents by informing appropriate custodians, determining root cause, and actions (if necessary) required to re-establish respective information system security.
• Participates in Purple Team exercises, collaborating with the Security Operations Center (SOC) to tune detection logic and improve alerting telemetry based on test findings.
• Conducts testing in production environments with a "do-no-harm" approach, ensuring system availability and data integrity are maintained.
• Leads comprehensive assessments of features and large-scale applications and environments. This includes mapping out the surface area and assessing prioritization based on time, resource, and general importance tradeoffs.
• Navigates through an ecosystem of multiple domains, technologies, protocols, and stakeholders.
• Creates and maintains new tools to support pentests efforts.
• Provides subject matter expertise support in the detection, analysis, and mitigation of malware, trends in malware development and capabilities, and proficiency with malware analysis capabilities.
• Participates in team activities and team planning in regards to improving team skills, awareness, and quality of work.
• Continues personal growth in the areas of technology, business knowledge, and Costco policies and platforms.
• Designs, configures, and maintains various degrees of security.

REQUIRED

• 5+ years' experience with assessing APT threats, penetration testing, vulnerability management, attack methodologies, forensics analysis techniques, malware analysis, attack surface comprehension, Cyber Threat Emulation operations, Cyber Advanced Threat Emulation Team operations and research, identification, and verification of new APT TTPs.
• Proven operational experience in penetration testing or cyber threat emulation.
• Experience and security knowledge around native applications, web applications, distributed and database systems.
• Proficiency in scripting in one or more languages (e.g. C/C++, Ruby, dotnet, js, python, sql, Powershell, others).
• Exposure or experience with tools such as; Kali Linux, Metasploit, Burp suite, Cobalt Strike, Tenable Nessus, Web Inspect, IDA PRO.
• Ability to ramp up and understand new designs, systems, and technology.
• Understands security issues for large scale cloud services and network infrastructures.
• Understands software development processes and hybrid-cloud based infrastructure.
• Thorough experience with Windows, Linux, and cloud environment testing.
• Experience auditing and exploiting Cloud IAM misconfigurations (e.g., privilege escalation in AWS, Azure, or Google Cloud Platform).
• Technical knowledge of container orchestration, specifically Kubernetes (K8s), and Docker security.
• Experience developing custom exploits and exploitation tools in support of authorized penetration tests or cyber threat emulation exercises.
• Expertise in policies, industry trends, and techniques related to penetration testing.
• Experience assessing the security of automated deployment pipelines and secrets management (e.g., GitHub Actions, Jenkins, HashiCorp Vault).
• Subject matter expertise in Advanced Persistent Threat or Emerging Threats.
• Deep understanding of risk scoring frameworks such as CVSS or DREAD.
• Experience managing C2 (Command and Control) infrastructure for long-term engagements.
• Grasps both the technical and non-technical details such as to enumerate inappropriate or abusable security expectations.
• Demonstrates a logical and structured approach to time management and task prioritization.
• Strong proficiency in pentest report writing.
• Ability to handle highly confidential information in a strictly professional manner.
• High enthusiasm, integrity, ingenuity, results-orientation, self-motivation, and resourcefulness in a fast-paced environment.
• Depending on the pentest requirements, one or more team members may be required to work outside of regular business hours for the duration of the engagement.
• Certifications: OSCP, GPEN.
• GSEC (GIAC Security Essentials).

Recommended

• A relevant degree.
• One or more certifications for penetration testing: GCIA, GCED, GCFE, GCTI, GNFA, GCIH, CND, ECSA, OSEE, OSCE, GCFA, GREM, CHFI, CEH, GWAPT, GISF, GXPN.
• Red Teaming including, leading a targeted operation (planning, scoping, approval, reconnaissance and discovery, execution of attacks, pivoting, persistence, and remediation).
• Some pentest engagements may need one or more team members to travel.
• Proficient in Google Workspace applications, including Sheets, Docs, Slides, and Gmail.

Required Documents
Cover Letter
Resume

California applicants, please click here to review the Costco Applicant Privacy Notice.

Pay Ranges:

Level SR - $150,000 - $190,000, Bonus and Restricted Stock Unit (RSU) eligible

Level Staff - $180,000 - $225,000, Bonus and Restricted Stock Unit (RSU) eligible

We offer a comprehensive package of benefits including paid time off, health benefits - medical/dental/vision/hearing aid/pharmacy/behavioral health/employee assistance, health care reimbursement account, dependent care assistance plan, short-term disability and long-term disability insurance, AD&D insurance, life insurance, 401(k), stock purchase plan to eligible employees.

Costco is committed to a diverse and inclusive workplace. Costco is an equal opportunity employer. Qualified applicants will receive consideration for employment without regard of race, national origin, gender, gender identity, sexual orientation, protected veteran status, disability, age, or any other legally protected status. If you need assistance and/or a reasonable accommodation due to a disability during the application or the recruiting process, please send a request to

If hired, you will be required to provide proof of authorization to work in the United States. In some cases, applicants and employees for selected positions will not be sponsored for work authorization, including, but not limited to H1-B visas.