Pen-tester - Product Security

				Overview:

Avalara's Offensive Security organization is looking for a penetration tester to join our security assessments team.   As a member of our in-house pen-test team, your principal mission will be to conduct offensive pen-testing activities against our microservices, applications, infrastructure and data-layer services.  You will work closely with our engineering groups to define pen-test scope, lead assessment engagements, and map assessment findings into engineering remediation plans, ultimately guiding our product security uplift activities.  This is a unique opportunity for an experienced offensive pen-tester who is collaborative, and has a healthy sense of curiosity to join Avalara Engineering to make real positive impacts to our security posture, and help us improve our security designs in our next-gen of systems and services .

Responsibilities:

* Conduct white-box and grey-box offensive penetration testing against Avalara's applications, microservices and web services  

* Conduct network infrastructure, Public Cloud (AWS and GCP), AI, and data-layer offensive pen-testing  

* Perform manual source code reviews and audits (manual and SCA/SAST code audits) as needed to support white-box assessments   

* Be a subject matter expert and ambassador to Avalara Engineering for secure coding practices, penetration testing, platform security and all aspects of application and product security  

* Perform any other application security or product security related activities or tasks as needed or directed  

* Validate 3rd party external pen-test and crowd-sourced application security findings and work with our application security team to triage those across to our engineering teams.  

Qualifications:

* An Offensive Security Certified Professional (OSCP) certification  

* 5+ years of security assessment experience  

* Possess a broad knowledge of attack vectors, exploits and mitigations that work at scale or may be linked together for chained attacks  

* Experience with assessing with Cloud-native services, service meshes, and Kubernetes-platform based microservices  

* Be able to apply unconventional thinking and problem-solve on the boundary of your knowledge base, learning new technologies or languages as needed to complete pen-test tasks  

* Be able to think both offensively (like a hacker) and defensively (evaluating product security and design)  

* Ability to create written work product, detailed technical findings documents, and pen-test reports 

* Familiarity with industry-standard threat modelling, risk modelling and vulnerability classification 

* Knowledge of LLM Top-10 and AI hacking experience is a plus  
			

Apply

Share this job:

Share this Job

View company profile

Avalara, Inc