For our international customer, we are looking for a full-remote Vulnerability Engineer / Security Tester.
Candidates need to be flexible to work across time zones, including alignment with US Eastern Time where required. Candidates need to be fluent in English.
Tasks and responsibilities:
* Execute and support application vulnerability assessments (SAST, DAST, SCA, and manual code review), ensuring findings are accurate, actionable, and relevant to application risk;
* Validate scanner results, perform false-positive analysis, and track findings through remediation, including retesting to confirm effective fixes;
* Manage multiple application security initiatives concurrently while meeting strict timelines in a fast paced environment;
* Prioritize vulnerabilities based on business impact, exploitability, exposure, and likelihood, using industry best practices (e.g., CVSS scoring);
* Develop and maintain dashboards and reports tracking vulnerability metrics such as severity distribution, remediation SLAs, and mean time to remediation (MTTR);
* Support the integration of security scanning and vulnerability workflows into CI/CD pipelines, leveraging existing tooling and automation;
* Facilitate remediation planning by providing actionable recommendations and coordinating root cause analysis;
* Support threat modeling and application risk assessments, with a focus on discovering insecure design patterns;
* Participate in high‐severity or zero‐day vulnerability response activities, including impact analysis and coordinated remediation efforts, as needed;
* Provide input into policies and standards related to application and cloud security controls;
Profile:
* Bachelor or Master degree in Information Technology, Cybersecurity, Computer Science, or related discipline—or equivalent professional experience;
* +5 years of relevant experience in application security and/or vulnerability management;
* Solid understanding of common vulnerability classes (e.g., OWASP Top 10) and secure architecture principles;
* Proficiency in using Burp Suite for manual security testing of web applications and APIs, including validation of automated findings and identification of complex authentication, authorization, and business‐logic vulnerabilities;
* Hands-on experience with tools such as Burp Suite, Fortify, Checkmarx, SonarQube, Black Duck, Tenable, and common network discovery tools (e.g., Nmap);
* Familiarity with NIST, MITRE ATT&CK, and CIS benchmarks;
* Programming/scripting proficiency in languages such as Python, Java, .NET, or similar;
* Excellent documentation, communication, and stakeholder engagement skills;
* Fluent in English;
Desirable:
* Professional certifications (e.g., Security+, SSCP, GWAPT, or pursuing CISSP, OSCP).
* Experience using the ServiceNow platform for vulnerability or incident tracking.
* Proficiency in Azure cloud and Azure DevOps environments.
* Experience using Power BI or similar tools to visualize vulnerability metrics and remediation trends for technical and non-technical stakeholders.