ACV Auctions is looking for an Application Security Engineer responsible for designing, building & improving key security mobile infrastructure components for ACV Auctions that perform at scale. We value practical secure software, mobile development & instrumentation experience in addition to a thorough understanding of computer science fundamentals. The technologies you are familiar with are less important to us than your ability to solve complex software problems & apply software engineering best practices.
As an Application Security Engineer at ACV Auctions youll always be challenged to solve interesting & novel problems. If you are passionate about Security & working with bright & highly productive teams this role could be a great match.
What you will do:
- Perform penetration testing against many different types of applications & networks.
- Identify & exploit vulnerabilities in applications & networks.
- Document technical issues identified during security assessments utilizing standard CWE & CVSS classifications.
- Research emerging security topics & new attack vectors.
- Work independently to meet customer & project deadlines.
- Interact with customers in a collaborative consultative manner to deliver results, provide feedback & remediation recommendations on penetration testing findings.
- Support & manage Companys application security testing instrumentation for integration into CI/CD & efficient delivery of focused & comprehensive test results.
- Support the SDLC Program & Process
What you need know:
- A year or more working in a work from home / remote capacity.
- 5 or more years of penetration testing with 3 or more years of specific application & network / red team
- Understanding of web architecture & protocols (HTTP(S), TCP/IP, ARP, SMTP, DNS, etc.).
- Understanding of how data flows through an application and/or network & connected components (SMTP, LDAP, Database servers).
- Understanding of common software security issues & remediation techniques (OWASP top 10, SANS top 25, etc.).
- Familiar with common Windows/Linux commands & scripting.
- Familiarity with general application & network security concepts.
- Ability to communicate effectively both written & verbal.
- Familiar with OWASP Top 10 & CWE/SANS Top 25 classification systems.
- Familiar with profiling an application or network, identifying threats, & developing test cases to target identified threats.
- Familiar with developing proof-of-concept exploit examples to use within reports or live demonstrations.
- Familiar with documenting & communicating results that may be consumed by both developers & management-level audiences.
- Familiar with testing web applications, natively compiled binary applications, mobile applications, web services, & testing networks.
- Familiar with using as many of the tools listed below (open to others not listed):
o Intercepting Proxies (i.e. Burp Suite, Charles, OWASP ZAP proxy, etc.).
o Web Service Testing Tools (i.e. soapUI).
o Disassemblers/Decompilers/Debuggers (IDA Pro, OllyDbg, WinDbg, jad, flare/flasm, SoThink
SWF Decompiler, Firebug, etc.).
o Exploit frameworks (Metasploit, Immunity CANVAS, CORE Impact)
o Vulnerability scanners (Nessus)
o OSINT discovery (Shodan, Maltego)
o IDEs (i.e. Visual Studio or Eclipse).
- Degree from an accredited College or University in Computer Science, Information Systems, Engineering or a related major OR equivalent work experience
- Current holder of penetration testing certifications such as OSCP, OSWP, GWAPT, GXPN, GPEN, CREST.
- 2+ years of professional web-application development or source code review experience
- Familiar with writing tools to aid in penetration testing.
- Development experience with multi-tiered Internet applications
- Development and/or architecture familiarity mobile applications, specifically iOS & Android
- Experience conducting targeted phishing & related social engineering tests
- Penetration testing experience with DevOps related technologies such as Docker, Kubernetes, & CI/CD tool environments.
- Penetration testing & reverse engineering experience with embedded systems & hardware (i.e. IoT devices)
- Experience developing custom scripts or tools used for vulnerability scanning & identification
- Unix, Windows (negligible), or networking security experience
- Development and/or architecture familiarity mobile applications, specifically Apple iOS & Android
ACV Auctions is an equal opportunity employer (EOE) & all qualified applicants will receive consideration for employment without regard to race, color, religion, sex, national origin, disability status, protected veteran status, or any other characteristic protected by law.