Penetration Tester

General Dynamics IT
yesterday

Role details

Contract type
Permanent contract
Employment type
Full-time (> 32 hours)
Working hours
Regular working hours
Languages
English
Experience level
Senior

Job location

Remote

Tech stack

Kubernetes Security
JavaScript
API
Agile Methodologies
Amazon Web Services (AWS)
Amazon Web Services (AWS)
Application Layers
Software System Penetration Testing
Confluence
JIRA
Automation of Tests
Burp Suite
Cloud Computing
Cloud Computing Security
Code Review
Information Systems
Continuous Integration
Github
Monitoring of Systems
Identity and Access Management
Python
Network Security
NMap
Node.js
Openshift
Scrum
Program Analysis
Fortify (Software)
Prometheus
Secure Coding
Security Software
SharePoint
Security Information and Event Management
SonarQube
System Testing
Test Case Design
Web Applications
Datadog
React
Grafana
Software Security
Test Scripts
Amazon Web Services (AWS)
GWAPT
Gitlab-ci
Kubernetes
Bug Reporting
Metasploit
Cybercrime
Nessus
Checkmarx
Functional Programming
Cloudwatch
Api Gateway
REST
Dynatrace
Devsecops
Docker
ELK
Vulnerability Analysis
Microservices
Dynamic Application Security Testing

Requirements

The Penetration Tester supports the Case Management Modernization (CMM) Program for the Administrative Office of the U.S. Courts (AO) by conducting security, penetration, and vulnerability assessments required prior to Application ATO (Authority to Operate). This role ensures that CMM applicationsbuilt using React, NodeJS, AWS cloud services, and microservicesmeet federal security standards and demonstrate resilience against realworld cyber threats. Working within Agile DevSecOps teams, the Penetration Tester performs handson exploitation, validates security controls, identifies weaknesses, and collaborates with engineering teams to remediate findings. This role is critical to ensure that CMM systems comply with NIST 80053, RMF, and AO security requirements before production authorization.Key Responsibilities:Perform application, API, and cloud penetration tests on CMM systems prior to ATO submission.Conduct web, mobile, API, and microservices security testing using industrystandard tools and manual exploitation techniques.Execute AWS cloud penetration testing within approved boundaries (IAM, S3, Lambda, API Gateway, ECS/EKS, networking).Perform static and dynamic analysis, including code review for security vulnerabilities.Conduct credentialed and uncredentialed scans, privilege escalation testing, and lateral movement analysis.Validate implementation of NIST 80053 controls, including AC, AU, IA, SC, SI, and CM families.Support RMF Step 3 (Security Assessment) activities and provide evidence for ATO packages.Identify vulnerabilities across application layers, cloud infrastructure, and CI/CD pipelines.Work with developers, cloud engineers, and DevSecOps teams to validate fixes and retest vulnerabilities.Provide detailed remediation guidance aligned with secure coding and cloud security best practices.Track findings in Jira or equivalent tools and ensure closure prior to ATO milestones.Prepare Security Assessment Reports (SAR), penetration test summaries, and risk findings for AO stakeholders.Document exploitation steps, proofofconcepts, and risk severity aligned with federal scoring methodologies.Contribute to System Security Plans (SSP), POA&Ms, and ATO evidence packages.Support preATO readiness reviews, including control validation and security walkthroughs.Participate in tabletop exercises, threat modeling sessions, and architecture reviews.Validate system resilience through stress, failover, and adversarial resilience testing.Ensure compliance with federal security standards, including NIST, FISMA, and AO-specific guidelines.Work closely with development teams to integrate security testing into Agile sprints.Provide security insights during sprint planning, backlog refinement, and release readiness reviews.Support secure CI/CD pipeline enhancements, including automated security scanning.REQUIREMENTS:8+ years of experience in penetration testing, application security, or ethical hacking security roles.Experience documenting test plans, test procedures, and detailed security findings.Experience supporting federal security assessments or enterprise-scale security testing.Hands-on experience performing penetration tests on web applications, APIs, microservices, and cloud environments.Strong proficiency with tools such as Burp Suite, OWASP ZAP, Metasploit, Nmap, Nessus, Nikto, K6 Security, or custom scripts.Experience testing applications built with NodeJS, ReactJS, REST APIs, and microservices.Strong understanding of AWS security, including IAM, VPC, S3, Lambda, API Gateway, ECS/EKS, CloudTrail, and CloudWatch.Experience with NIST 80053, RMF, FedRAMP, or federal ATO processes.Ability to interpret logs, metrics, and security telemetry to identify attack paths.Familiarity with SIEM and monitoring tools such as Datadog, ELK, CloudWatch, Grafana.Experience with container security (Docker, Kubernetes, OpenShift).Understanding of network security, distributed tracing, and adversarial testing techniques.Strong analytical, communication, and documentation skills. QUALIFICATIONS:8+ years of general experience in information systems with BS/BA Degree, or 6+ years with MA/MS Degree6+ years experience with in integration, regression, and system testing using automated testing tools in web-based applicationsExperience in writing test cases, test plans, executing test scripts, reporting defects and preparing test results reportsExperience in the entire QA Life Cycle, to include designing, developing and execution on the entire QA process and documentation of test plans, test cases, test procedures and test scriptsExperience may be considered in lieu of degree CERTIFICATIONS:OSCP, OSWE, GWAPT, GPEN, or similar offensive security certifications.AWS Security SpecialtySAFe, DevSecOps, or Agile certifications beneficial. TOOLS & TECHNOLOGIES:Burp Suite, OWASP ZAP, Metasploit, Nmap, Nessus, NiktoK6 Security, custom Python/JavaScript toolsAWS CloudWatch, CloudTrail, GuardDutyDatadog, ELK Stack, Prometheus, GrafanaJenkins, GitLab CI/CD, GitHub ActionsSAST/DAST tools (SonarQube, Checkmarx, Fortify)Jira, Confluence, SharePoint, MS TeamsPower BI, Grafana dashboards COMMUNICATION & ORGANIZATIONALExcellent presentation and communication (oral and written) skills.Consultant mindset with the ability to work with high level customer stakeholders and build excellent customer relationship.Experience identifying and applying industry tools, solutions, methods best practices, and emerging technologies.Strong analytical skills and problem-solving skills with the ability to formulate and communicate recommendations for improvement.Demonstrated ability to work effectively, independently, and as part of a team.

Apply for this position