Overview
Skills
Job Details
- Positions: Security/Penetration Tester
- Location: Remote in Sacramento
- Duration : 06+Months Contract
- MOI : Virtual
Job Description
An experienced Security Testing Consultant is sought to conduct comprehensive penetration testing, vulnerability assessments, and validation of security controls across cloud platforms, applications, and CI/CD systems. The ideal candidate will demonstrate deep expertise in cloud security posture, secure development practices, and regulatory compliance validation.
Key Responsibilities
- Conduct credentialed and non-credentialed web application and API penetration testing using tools such as Tenable WAS, Burp Suite, Nmap, sqlmap, and others.
- Perform port and service scans and analyze attack surfaces for systems and applications.
- Assess and validate implementation of security controls against NIST SP 800-53 Rev 5 and FIPS 140-3.
- Evaluate secure configurations and posture across multiple platforms including:
- AWS or similar cloud environments
- Containers (Docker, Kubernetes)
- CI/CD tools (GitHub, Jenkins, Code Climate, CloudHub 2)
- Mulesoft
- Salesforce (Community and Service Cloud)
- OKTA or other Identity Access Providers
- Serverless architectures
- Perform vulnerability exploitation (minimally pervasive) and validate remediation of critical/high findings.
- Execute both Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST).
- Validate data classification efforts, including for moderate and high data sensitivity levels.
- Evaluate Zero Trust Architecture implementations.
- Work with designated teams to obtain necessary credentials and access to test environments.
- Provide written weekly status reports and a final report including findings, remediation strategies, and recommendations.
- Participate in a close-out briefing and perform knowledge transfer to internal stakeholders, including documentation and virtual sessions.
Minimum Qualifications
- 2+ years FTE experience in IT security solution design, implementation, or testing in cloud or hybrid environments.
- 2+ years FTE experience in Red Team penetration testing (commercial or government).
- 3+ years FTE validating secure configurations/posture for:
- AWS or similar cloud tech
- Containers (Docker, Kubernetes)
- CI/CD tools (GitHub, Jenkins, Code Climate, CloudHub 2)
- Mulesoft
- Salesforce (Community and Service Cloud)
- OKTA or similar IAM solutions
- Serverless architectures
- Overall secure cloud environments
- 3+ years FTE experience:
- Performing SAST and DAST
- Validating secure Zero Trust Architecture
- Validating data classification (moderate/high)
- 2+ years FTE experience working with public sector agencies to achieve compliance with one or more of the following:
SAM, CSF, SIMM, NIST, FIPS, FISMA, FedRAMP
Required Certifications (at least one per category below)
- Penetration Testing Certification (1 required):
- CEPT, CPT, CEH, or CompTIA PenTest+
- Security Risk or Cloud Certification (1 required):
- CRISC, CCSP, or CISSP
Tools and Technologies (Preferred/Used)
- Tenable WAS
- Burp Suite
- Nmap / sqlmap
- Salesforce
- Jenkins / GitHub / CI-CD pipelines
- AWS
- OKTA
- Kubernetes / Docker
- Mulesoft
- Microsoft 365 for documentation
- Industry-standard cybersecurity validation frameworks
At least one (1) staff shall have a minimum of two (2) years FTE experience designing, implementing, or testing information technology security solutions in either a cloud or hybrid cloud environment. Min 2 year in cloud/hybrid environments designing, impementing, or testing IT Security systems |
At least one (1) staff shall have a minimum of two (2) years FTE experience performing commercial or Government Red Team penetration testing. Min 2 years of RED TEAM Testing. |
At least one (1) staff shall have a minimum of three (3) years FTE experience validating for secure configurations/posture of AWS or similar cloud-based technologies. Min 3 years validating secure configurations/Posture of cloud tech (AWS). |
At least one (1) staff shall have a minimum of three (3) years FTE experience validating for secure configurations for Containers, including Docker and Kubernetes. Min 3 years validating secure configurations/Posture of Docker and Kubernetes Containers. |
At least one (1) staff shall have a minimum of three (3) years FTE experience validating for secure configurations for GitHub, Code Climate, Jenkins, CloudHub 2, or similar Continuous Integration/Continuous Delivery tools. Min 3 years validating secure configurations for CI/CD delivery tools such as GitHub, Code Climate, Jenkins, CloudHub 2, or similar. |
At least one (1) staff shall have a minimum of three (3) years FTE experience validating for secure configurations/posture of Mulesoft. Min 3 years validating secure configurations/Posture of Mulesoft. |
At least one (1) staff shall have a minimum of three (3) years FTE experience validating for secure configurations/posture of Salesforce (including Community and Service Cloud). Min 3 years validating secure configurations/Posture of Salesforce Inlcuding Community and Service Cloud. |
At least one (1) staff shall have a minimum of three (3) years FTE experience validating for secure configurations/posture of OKTA or a similar Identity Access Provider. Min 3 years validating secure configurations/Posture of OKTA or similar IAM tools. |
At least one (1) staff shall have a minimum of three (3) years FTE experience validating data classification (moderate and high). Min 3 years validating moderate and high data classifications. |
Mandatory Qualifications (MQs) |
At least one (1) staff shall have a minimum of three (3) years FTE experience validating for overall secure cloud environments. Min 3 years validating overall secure cloud environments. |
At least one (1) staff shall have a minimum of three (3) years FTE experience performing static application security testing and dynamic application security testing. Min 3 years performing static and dynamic application security testing |
At least one (1) staff shall have a minimum of three (3) years FTE experience validating for secure zero trust architecture. Min 3 years validating for secure zero trust architecture. |
At least one (1) staff shall have a minimum of three (3) years FTE experience validating for secure posture of serverless architecture. Min 3 years validating for secure posture of serverless architecture. |
At least one (1) staff shall have a minimum of two (2) years FTE experience working with public governmental agencies (county, state, or federal) to achieve compliance with State Administrative Manual (SAM), Cybersecurity Framework (CSF), State Information Management Manual (SIMM), National Institute of Standards and Technology (NIST), Federal Information Processing Standards (FIPS), Federal Information Security Modernization Act (FISMA), or FedRAMP security controls and requirements. Min 2 years working with State, County, or Federal agencies, meeting one or more of the following standards/controls/requirements: SAM, CSF, SIMM, NIST, FIPS, FISMA, or FedRamp |
Certification At least one (1) staff shall have at least one of the following or similar IT security certifications: Certified Expert Penetration Tester (CEPT); IACRB Certified Penetration Tester (CPT); EC-Council Certified Ethical Hacker (CEH); or CompTIA PenTest+. Candidate must have 1 and preferably more of the listed certs or similar. |
Certification At least one (1) staff shall have at least one of the following or similar IT security certifications: Certified Risk and Information Systems Control (CRISC); Certified Cloud Service Professional (CCSP); or Certified Information Systems Security Professional (CISSP). Candidate must have 1 and preferably more of the listed certs or similar. |