Lead Web Application Penetration Tester

CoStar Realty Information, Inc
Washington, DC
30 Jan 2025

Vacancy expired!

Lead Web Application Penetration Tester

Job Description

OVERVIEW

CoStar Group, Inc. (NASDAQ - CSGP) ( ) is commercial real estate's leading provider of information and analytic services. Founded in 1987, CoStar builds and operates over 100 real estate related web applications serving 100 million site visitors each month. We have over 5000 employees across the world working to deliver comprehensive, timely and standardized information on commercial real estate, residential real estate, and apartments.

In this role, you will secure software and applications that power the worldwide real estate market. Work with 1,000+ software, QA, and operations engineers to secure applications during design, development, and production. The candidate will utilize threat modeling, white box application security analysis, and grey box penetration testing. This position will collaborate with software development teams, devops, and security to drive and shape the way our employees and engineers build, deploy, and operate applications.

This position has the opportunity for hybrid work with up to two days remote per week. Four-day work weeks are also an option for those applicants that are interested.

ROLE RESPONSIBILITIES
  • Work with the software and product teams to help ensure applications are designed and implemented securely during the SDLC
  • Develop a repeatable framework to scale application security controls across 100+ applications
  • Consume a variety of application security tools (DAST, SAST, SCA, Credential Scanning, IAC scanning) to secure web applications during development and production run-time.
  • Penetration test web applications and underlying infrastructure for vulnerabilities using both manual and automated techniques
  • Demonstrate risk of detected issues to both technical and non-technical audiences
  • Utilize sustainable methods to automate finding feedback to generate developer work items and trigger re-scan when associated work items are closed.
  • Recommend code changes to eliminate vulnerabilities
  • Automate security testing at various stages within the CI/CD pipeline
  • Develop secure coding standards and training across multiple application frameworks and technologies

BASIC QUALIFICATIONS:
  • Bachelor's Degree (preferably in a relevant field - Computer Science/Cyber Security)
  • Minimum 6 years total experience in a technical role such as software engineer or security engineer with at least 2 years as a software developer.

Relevant experience areas (experience required in at least 3):
  • Design, implementation, and operation of a secure software development lifecycle
  • Experience with web application penetration testing and common attack vectors
  • Experience with secure application development
  • Experience with defense-in-depth strategies to help mitigate existing risk within applications
  • Software development experience in a common programming language: C# (preferred), Java, C/C, Python, or Go
  • Scripting/programming skills - Python, PowerShell, GoLang, Perl, JavaScript, .NET, API Integration
  • Security tooling automation in CI/CD pipelines and IDE interfaces including Static Application Security Testing (SAST) and Static Application Analysis (SCA) solutions such as Veracode, CheckMarx, AppScan, X-Ray, Synopsys, or Snyk
  • Dynamic application security testing (DAST) through Metasploit, Burpsuite, OWASP ZAP, Acunetix, etc.
  • Industry relevant professional certifications:
    • ISC-2 CISSP
    • Offensive Security Web Assessor (OSWA) / Expert (OSWE)
    • Offensive Security Certified Profession (OSCP / OSCE)
    • SANS GIAC Penetration Tester (GPEN)
    • SANS GIAC Cloud Penetration Tester (Google Cloud PlatformN)
    • SANS GIAC Exploit Researcher and Advanced Penetration Tester (GXPN)

PREFERRED QUALIFICATIONS AND SKILLS
  • In-depth understanding of various assessment tools
  • Knowledge of infrastructure operations across databases, network, and system administration
  • Ability to communicate with different levels of leadership conveying risk and driving urgency for risk remediation.
  • Experience coordinating with application teams to drive security by design principles
  • Ability to mentor and train team members to prioritize security efforts effectively
  • A self-starter who can advance the application security program and follow-through ideas to completion.
  • Hands-on experience implementing security tools into CI/CD pipelines.
  • Experience testing serverless cloud deployments

#LI-AR

#LI-Hybrid

CoStar Group is an Equal Employment Opportunity Employer; we maintain a drug-free workplace and perform pre-employment substance abuse testing