Penetration Testing Specialist

This is a fully remote position, open to applicants in Latin America.

📋 Description

• Plan, design, and execute penetration tests on web applications, mobile (iOS/Android), APIs, cloud infrastructure, and internal networks, adhering to PTES, OWASP WSTG, OWASP MASTG, OWASP API Security Top 10, OWASP ASVS, and NIST.

• Maintain versioned, reproducible, and auditable checklists by target type, covering IAM, role-based authorization, idempotency, rate limiting, error handling, and information exposure.

• Conduct security code reviews for applications in backend codebases: input validation, authorization errors (BOLA/IDOR), financial logical errors (decimal accuracy, rounding, conversions), concurrency, idempotency, webhook signatures, and secret management.

• Operate and fine-tune the integrated AppSec toolchain within the SDLC: SAST, DAST, SCA, secret scanning, and IaC scanning.

• Design and sustain a threat modeling program (STRIDE / PASTA / LINDDUN) for critical product features.

• Audit implementations of OAuth 2.0 / OIDC / JWT for algorithm confusion, replay attacks, refresh token rotation, PKCE, and claims validation (iss/aud/exp).

• Execute in-depth API security testing: BOLA/BFLA, mass assignment, rate limiting, idempotency, race conditions, and signed webhooks.

• Ensure partner integrations: CSP, frame-ancestors, postMessage, CORS, SameSite, and sandboxing.

• Identify business logic vulnerabilities with direct economic impact: double spending, transaction replay, race conditions, negative amounts, overflow/underflow, limit bypass, rounding manipulation, and idempotent key reuse.

• Build AI-assisted workflows for recon, triage, PoC generation, code reviews, and targeted fuzzing.

• Apply OWASP Top 10 for LLM and MITRE ATLAS when evaluating product features with generative AI.

• Write executive and technical reports with CVSS v4 severity, business impact, reproducible PoCs, and actionable remediations.

• Track findings to closure with SLAs based on severity.

• Generate auditable evidence for ISO 27001, BCRA, and partner due diligence processes.

• Present findings to engineering teams, CTO, CISO, and the risk committee.

• Collaborate closely with teams as a security partner: conduct design reviews, pair programming reviews, and mentor on secure coding practices.

• Design purple team exercises with SecOps, carry out internal CTFs and bug bashes, and maintain a bug bounty program.

⛳️ Requirements

• 4+ years in penetration testing or application security, with hands-on experience assessing production systems.

• Previous experience as an internal pentester or AppSec engineer in a live product.

• Background in development: able to independently read and reason through code in at least 2 languages (Python, .NET, Node/TypeScript, or Java).

• Documented and systematic methodology: PTES, OWASP WSTG / MASTG / ASVS, OWASP API Top 10.

• Strong knowledge of OAuth 2.0 / OIDC / JWT and their known attacks (algorithm confusion, replay, key confusion, claims validation).

• Extensive experience in API security: BOLA/BFLA, mass assignment, rate limiting, idempotency, race conditions, signed webhooks.

• Comprehensive coverage of web pentesting: OWASP Top 10, SSRF, deserialization, template injection, prototype pollution, and related vulnerabilities.

• Mobile pentesting experience: Frida, Objection, MobSF, bypassing SSL pinning, hooking, static and dynamic analysis.

• Cloud security experience in at least one major cloud provider (Azure and/or AWS): IAM, privilege abuse, secrets in pipelines, storage exposure.

• Active and intentional use of AI in your workflows with awareness of associated risks (sensitive data, hallucinations).

• Excellent written communication skills: your reports are auditable deliverables.

🏝️ Benefits

• Remote work

• Opportunities for growth and professional development