Sr. Application Security Engineer - INTL India

4-7 years of experience in Application Security, including web applications, mobile applications, infrastructure, and API penetration testing

ESSENTIAL SKILLS

Application & API Security

Strong hands-on experience performing manual web application penetration testing

Deep knowledge of OWASP Web, API, and Mobile Top 10 vulnerabilities

Experience following OWASP WSTG and structured testing methodologies

Ability to perform application mapping and attack surface discovery

Strong skills in authentication and authorization testing

Experience testing input validation and error handling

Ability to validate both client-side and server-side attack vectors

Hands-on experience testing RESTful APIs in authenticated and unauthenticated contexts

Ability to test authorization controls, role separation, token handling, API keys, OAuth and JWT misuse

Experience testing rate limiting, pagination, and business logic abuse

Ability to integrate API testing into broader application security assessments

Experience testing mobile applications with backend API dependency awareness

Strong understanding of client-side versus server-side trust boundaries

Infrastructure & Network Security

Hands-on experience performing internal and external infrastructure penetration tests

Knowledge of network service enumeration, including SMB, RDP, LDAP, MSSQL, HTTP/S

Experience identifying firewall, VPN, cloud endpoint, and network misconfigurations

Strong understanding of Active Directory attacks, including Kerberoasting, AS-REP roasting, and privilege escalation

Ability to validate lateral movement paths, credential reuse, weak permissions, and privilege escalation vectors

Experience aligning infrastructure testing with PTES methodology

Strong understanding of all PTES phases

Penetration Testing Execution & Reporting

Ability to scope, execute, and document full-cycle penetration tests

Experience validating exploitability and business impact, not just scanner findings

Ability to combine automated scanning with manual exploitation for accurate results

Experience performing retesting and validating remediation closure

Proficiency with industry-standard tools, including Burp Suite (manual testing, extensions, API testing), Nmap, and SQLmap

Strong experience producing clear, actionable penetration test reports

Experience tracking findings through the full remediation lifecycle

Secure Development & Collaboration

Experience working within a Secure Software Development Lifecycle (SSDLC)

Ability to perform architecture reviews and threat modeling (e.g., STRIDE)

Experience supporting static, dynamic, and manual security testing efforts

Ability to partner with development teams during design, build, and release phases

Ability to support leadership discussions on application and infrastructure risk posture and trends

Advanced Application Exploitation

Proven ability to identify complex business logic flaws across web, API, and mobile applications

Experience chaining low- and medium-severity findings into high-impact attack paths

Advanced web exploitation experience, including SSRF, deserialization, cache poisoning, and template injection

Deep familiarity with microservices-based and API-driven architectures

Experience testing APIs protected by OAuth2, JWTs, service tokens, and API gateways

Ability to advise teams on secure API design patterns, not just vulnerabilities

Mobile & Client-Side Security

Experience performing manual mobile security testing beyond automated scanners

Ability to identify client-side trust issues versus backend enforcement gaps

Risk Communication & Leadership

Strong executive-level communication skills, including attack path storytelling and business impact translation

Ability to correlate application vulnerabilities with infrastructure weaknesses

Experience validating attack paths involving network misconfigurations, privilege escalation, and lateral movement

Understanding of how cloud segmentation, firewalling, and network controls affect application exposure

Experience embedding security testing into SSDLC and CI/CD pipelines

Ability to guide teams on threat modeling, secure design decisions, and pre-production security gates

Comfort leading remediation discussions and constructively challenging weak fixes

Experience mentoring junior AppSec or penetration testing team members

Experience creating and reviewing penetration testing reports

Programming experience (Python or similar) Certifications & Advanced Expertise

One or more relevant certifications such as OSCP, CRTO, OSWP, OSEP, PNPT, or similar

Advanced Active Directory attack path knowledge, including delegation abuse, DCsync, DCshadow, and BloodHound analysis

Experience reducing and validating attack paths

Cloud & Identity Security

Practical offensive security experience in Azure or Microsoft 365 (Entra ID) and/or GCP

Experience with identity abuse, misconfigured roles and policies, workload identity takeover, OAuth application abuse, and cross-tenant risks

Clearly communicate technical and business risk to developers and leadership

Own testing quality from execution through reporting, remediation validation, and retesting

Rate will be between $9.00-$13.00 an hour depending on skills and experience