Key skills
Web application penetration testingAPI securityOWASP Top 10OWASP API Security Top 10Authentication flawsAccess control issuesIDOR/BOLAInjectionXSSSSRFBusiness logic vulnerabilitiesManual testing techniquesAutomated security scanning toolsSecurity automation frameworksNucleiBurp Suite automationOWASP ZAPCustom scripting for security testingPenetration testing toolsProof-of-concept developmentPythonBashPowerShellOSCPOSWEBurp Suite Certified PractitionerGWAPTCEHCloud securityAWSAzureGCPContainer securityDockerKubernetesNetwork securityInfrastructure securityAICommunicationOWASPPenetration TestingNetwork SecurityCloud Security
About this role
SafeOps is a company dedicated to helping businesses secure their digital assets through proactive security assessments and monitoring. They are seeking a Senior Application Security Engineer to identify and mitigate vulnerabilities in web applications and infrastructure, focusing on penetration testing, security research, and automation.
Responsibilities:
- Conduct manual and automated penetration tests on applications, APIs, cloud environments, containers, and network infrastructure to identify security weaknesses
- Utilize security automation frameworks to create and optimize reusable security templates, including Nuclei templates and custom validation checks
- Perform in-depth security research to identify emerging threats, CVEs, exploit techniques, and attack patterns relevant to customer environments
- Automate security testing using custom scripts, security tools, and AI-assisted workflows to improve efficiency, coverage, and vulnerability validation accuracy
- Develop and maintain security testing templates for common vulnerabilities, known CVEs, misconfigurations, and real-world attack scenarios
- Simulate real-world attack scenarios and develop safe proof-of-concept scripts when necessary to validate exploitability
- Validate reported vulnerabilities for real-world exploitability using safe and controlled testing methods
- Review scanner findings to identify false positives, improve severity accuracy, update CVSS scoring, and enhance customer-facing issue quality
- Document findings in clear, actionable reports with impact, evidence, reproduction steps, exploitability status, and remediation guidance
- Work with developers to implement secure coding best practices and provide guidance on fixing vulnerabilities
- Stay up to date with the latest security threats, vulnerabilities, attack techniques, automation tools, and AI-assisted security testing methods
- Conduct post-remediation testing to verify fixes and ensure vulnerabilities have been effectively addressed
Requirements:
- 4-5+ years of experience in web application penetration testing or a related field
- Strong expertise in web and API security, including OWASP Top 10, OWASP API Security Top 10, authentication flaws, access control issues, IDOR/BOLA, injection, XSS, SSRF, and business logic vulnerabilities
- Hands-on experience with manual testing techniques, as well as automated security scanning tools
- Experience with security automation frameworks such as Nuclei, Burp Suite automation, OWASP ZAP, or custom scripting for security testing
- Ability to develop, tune, and validate reusable security templates, including Nuclei templates and custom validation checks
- Proficiency in penetration testing tools and safe proof-of-concept development for exploitability validation
- Knowledge of programming/scripting languages such as Python, Bash, or PowerShell for automation and security testing
- Strong problem-solving skills and the ability to work independently or within a team
- Excellent communication skills, with the ability to explain technical security issues to non-technical stakeholders
- Certifications such as OSCP, OSWE, Burp Suite Certified Practitioner, GWAPT, CEH, or related web security credentials are highly desirable
- Experience with cloud security (AWS, Azure, GCP) and container security (Docker, Kubernetes) is a plus
- Basic understanding of network security and infrastructure security