IT Security & Compliance Specialist II
Role details
Job location
Tech stack
Job description
The Application Security Penetration tester is responsible for identifying, analyzing, and mitigating vulnerabilities in software applications and APIs throughout the development lifecycle. This role collaborates closely with development and infrastructure teams to integrate secure coding practices and ensure the security of application from design through deployment., The Application Penetration Tester is responsible to perform deep, manual and automated security assessments of NCDHHS applications. This role goes Beyond automated scanning- you will chain vulnerabilities, bypass controls, and emulate real adversary behavior across web apps, APIs, and mobile platforms., In collaboration with our partners, the North Carolina Department of Health and Human Services (DHHS) protects the health and safety of all North Carolinians and provides essential health and human services. The IT division (ITD) is one of the divisions that report to the Operational Excellence portfolio. The ITD division comprises four sections: Implementation and Operations, Strategy and Workforce, Enterprise Technology, and Vendor and Finance. ITD offers the following services but not limited to implementations, operations, project/portfolio management, infrastructure, consulting, business division liaison, digital transformation, IT strategy, enterprise technology, IT contract and vendor management, and data office services., * Degrees must be received from appropriately accredited institutions. Transcripts and degree evaluations may be uploaded with your application. The State of North Carolina/Office of State Human Resources uses the National Association of Credential Evaluation Services (NACES) as a referral resource for applicants who need to have their credentials certified as equivalent.
- For a list of organizations that perform this specialized service, please visit the NACES membership website at https://www.naces.org/members .
Degree/College Credit Verification
Degrees must be received from appropriately accredited institutions. Transcripts, degree evaluations, and cover letters may be uploaded with your application.
Veterans' and National Guard Preference
- Applicants seeking Veteran's Preference must attach a DD-214 Member-4 Form (Certificate of Release or Discharge from Active Duty) to their applications.
- Applicants seeking National Guard Preference must attach an NGB 23A (RPAS), along with the state application, if they are a current member of the NC National Guard in good standing.
- Applicants who are former members of either the NC Army National Guard or the NC Air National Guard, with honorable discharge and six years of creditable service, must attach a copy of the DD 256 or NGB 22, along with the state application.
ADA Accommodations
Consistent with the Americans with Disabilities Act (ADA) and the Pregnant Workers Fairness Act (PWFA), DHHS is committed to the full inclusion of all qualified individuals. As part of this commitment, DHHS will ensure that people with disabilities, or known limitations covered by the PWFA, are provided with reasonable accommodation. If reasonable accommodation is needed to participate in the job application or interview process, please contact the person indicated below.
Requirements
The Knowledge, Skills, and Abilities (KSAs)/ Management Preferences are not required. Applicants who possess the following skills are preferred:
- Hands-on experience performing manual penetration testing of web applications, REST and GraphQL APIs, and mobile applications, including static application security testing (SAST), dynamic application security testing (DAST), and threat modeling.
- Skilled in identifying, exploiting, validating, and documenting security vulnerabilities, including SQL Injection (SQLi), Cross-Site Scripting (XSS), Server Side Request Forgery (SSRF), authentication and authorization flaws.
- Proficient in conduction both manual and automated security assessment using industry-standard tools such as burp suite, OWASP ZAP, Nmap, Metasploit, Nessus, Snyk, Veracode and Checkmarx.
- Experience in collaborating with software developers to triage, prioritize, and remediate security findings, while working closely with DevOps and engineering teams to ensure secure application design, configuration, and deployment.
- Assisted in integrating security controls, automated testing, and vulnerability scanning into CI/CD pipelines to secure software development practices and DevSecOps initiatives.
- Produced Comprehensive Technical assessment reports containing detailed proof- of-concept (PoC) Exploits, reproducible attack scenarios., Some state job postings say you can qualify by an "equivalent combination of education and experience." If that language appears below, then you may qualify through EITHER years of education OR years of directly related experience, OR a combination of both. See the Education and Experience Equivalency Guide for details.
Bachelor's degree in computer science or a related IT field or related degree from an appropriately accredited institution and two years of progressive experience in IT Security or closely related area;
OR
Associate degree in computer science or a related IT field or related degree from an appropriately accredited institution and three years of progressive experience in IT Security or closely related area;
OR
An equivalent combination of education and experience.
Benefits & conditions
Pulled from the full job description
- Paid parental leave
- Parental leave
- Health insurance
- Retirement plan