Application security engineer/tester (State/Federal client)

Role Title: Application Security Tester

Core Responsibilities:

• Security Assessments: Conduct technical security evaluations of applications and infrastructure this includes both manual and automated testing.
• Security Design Reviews: Analyze architecture and design documents to identify security weaknesses or improvements.
• Risk Assessments: Evaluate risk levels associated with vulnerabilities or configurations, and provide mitigation strategies.
• Hands-On Testing: Engage directly in penetration testing, vulnerability scanning, and exploit validation from hardware-level interfaces up to the application layer.

Key Skills and Knowledge Areas:

• Application Layer Security: Familiarity with OWASP Top 10, secure coding practices, and common application vulnerabilities (e.g., SQLi, XSS).
• Infrastructure and Network Security: Understanding of security controls across systems, networks, and operating systems.
• Penetration Testing Tools: Use of tools such as Burp Suite, Nmap, Nessus, Metasploit, Wireshark, etc.
• Threat Modeling: Ability to perform threat analysis and develop countermeasures during design reviews.
• Hardware-Level Security Awareness: Though less common in traditional AppSec roles, this suggests understanding of embedded systems or firmware vulnerabilities.

Ideal Background:

• Experience in cybersecurity (especially in offensive security or secure architecture).
• Familiarity with DevSecOps pipelines, CI/CD integration, or code review practices.
• Strong knowledge of security frameworks and standards, such as NIST, ISO 27001, or MITRE ATT&CK.