For our international customer, we are looking for a full-remote Vulnerability Engineer / Security Tester.
Candidates need to be flexible to work across time zones, including alignment with US Eastern Time where required. Candidates need to be fluent in English.
Tasks and responsibilities:
- Execute and support application vulnerability assessments (SAST, DAST, SCA, and manual code review), ensuring findings are accurate, actionable, and relevant to application risk;
- Validate scanner results, perform false-positive analysis, and track findings through remediation, including retesting to confirm effective fixes;
- Manage multiple application security initiatives concurrently while meeting strict timelines in a fast paced environment;
- Prioritize vulnerabilities based on business impact, exploitability, exposure, and likelihood, using industry best practices (e.g., CVSS scoring);
- Develop and maintain dashboards and reports tracking vulnerability metrics such as severity distribution, remediation SLAs, and mean time to remediation (MTTR);
- Support the integration of security scanning and vulnerability workflows into CI/CD pipelines, leveraging existing tooling and automation;
- Facilitate remediation planning by providing actionable recommendations and coordinating root cause analysis;
- Support threat modeling and application risk assessments, with a focus on discovering insecure design patterns;
- Participate in high‑severity or zero‑day vulnerability response activities, including impact analysis and coordinated remediation efforts, as needed;
- Provide input into policies and standards related to application and cloud security controls;
Profile:
- Bachelor or Master degree in Information Technology, Cybersecurity, Computer Science, or related discipline—or equivalent professional experience;
- +5 years of relevant experience in application security and/or vulnerability management;
- Solid understanding of common vulnerability classes (e.g., OWASP Top 10) and secure architecture principles;
- Proficiency in using Burp Suite for manual security testing of web applications and APIs, including validation of automated findings and identification of complex authentication, authorization, and business‑logic vulnerabilities;
- Hands-on experience with tools such as Burp Suite, Fortify, Checkmarx, SonarQube, Black Duck, Tenable, and common network discovery tools (e.g., Nmap);
- Familiarity with NIST, MITRE ATT&CK, and CIS benchmarks;
- Programming/scripting proficiency in languages such as Python, Java, .NET, or similar;
- Excellent documentation, communication, and stakeholder engagement skills;
- Fluent in English;
Desirable:
- Professional certifications (e.g., Security+, SSCP, GWAPT, or pursuing CISSP, OSCP).
- Experience using the ServiceNow platform for vulnerability or incident tracking.
- Proficiency in Azure cloud and Azure DevOps environments.
- Experience using Power BI or similar tools to visualize vulnerability metrics and remediation trends for technical and non-technical stakeholders.
