Sr. Web Application Penetration Tester - Cybersecurity

Position: Sr. Web Application Penetration Tester - Cybersecurity

Location: Remote

Hiring Mode: 12 Months Contract

Job Description:

The Senior Web Application Penetration Tester is responsible for identifying security vulnerabilities in internally developed and third-party web applications used across the Utility. This role focuses exclusively on application-layer security testing, helping ensure that customer-facing and internal web applications are resilient against real-world threats. The position works closely with application development, cloud, and security teams to reduce risk and improve secure development practices.

Key Responsibilities:

Web Application & API Penetration Testing

• Conduct manual and automated penetration testing of web applications and RESTful APIs
• Identify and exploit common and advanced web vulnerabilities (e.g., OWASP Top 10, business logic flaws)
• Test authentication, authorization, session management, and access controls
• Perform API security testing including authorization bypass, mass assignment, and input validation flaws
• Assess application security across development, test, and production environments (as authorized)

Secure SDLC & Collaboration

• Partner with application development and DevSecOps teams to integrate security testing into the SDLC
• Provide guidance on secure coding practices and vulnerability remediation
• Support threat modeling and design reviews for new or enhanced applications

Reporting & Risk Communication

• Produce detailed penetration test reports with clear reproduction steps and remediation recommendations
• Communicate risk in business-appropriate language for technical and non-technical stakeholders
• Validate remediation through follow-up testing and re-assessments

Tools & Techniques

• Use industry-standard tools such as Burp Suite, OWASP ZAP, Postman, and custom scripts
• Leverage manual testing techniques to identify business logic and workflow vulnerabilities
• Stay current on emerging web application attack techniques and defenses

Required Qualifications

• 6+ years of cybersecurity experience with a strong focus on web application penetration testing
• Demonstrated experience testing modern web applications and APIs
• Strong understanding of HTTP/S, REST, JSON, authentication mechanisms, and web architectures
• Proficiency with tools such as Burp Suite Pro and API testing tools
• Working knowledge of at least one scripting or programming language (e.g., Python, JavaScript, or PowerShell)
• Strong written and verbal communication skills

Preferred Qualifications

• Experience testing customer-facing applications in regulated environments
• Familiarity with cloud-hosted applications and CI/CD pipelines
• Knowledge of OWASP ASVS, SAMM, or similar application security standards
• Certifications such as OSCP, GWAPT, OSWE, or similar