HIring - Web Application & Cloud Assessment Lead

Hi

Greetings from BizTech Fusion!

BTF is assessing 10 NNPS web applications, school and department websites, and the NNPS cloud environment (Microsoft 365 and Google Workspace, application layer only). Cloud assessment scope was added by Addendum 2 to the base contract pricing and methodology must reflect this expanded scope. This is not a basic scan; NNPS expects manual testing with documented exploitation attempts.

Title: Web Application & Cloud Assessment Lead

Location: Remote (US Region, Eastern Time)

Duration: 12 Month Contract with possible renewal

Tax: W2, 1099

Note: US-based personnel mandatory

Job Description

Responsibilities

- Conduct manual and automated security assessments of 10 in-scope web applications

- Assess all public-facing NNPS websites for common vulnerabilities (injection, XSS, broken auth, IDOR, misconfigurations)

- Perform application-layer security assessment of the Microsoft 365 tenant (Exchange Online, SharePoint, Teams, OneDrive, Azure AD configurations)

- Perform application-layer security assessment of Google Workspace (Gmail, Drive, Classroom, Admin Console configurations)

- Test for misconfigurations, over-permissioned accounts, insecure sharing settings, and data exposure risks in both cloud platforms

- Document all findings with CVSS scores, exploitation evidence, and remediation steps

- Coordinate with Penetration Testing Lead where web app vulnerabilities intersect with internal network access

- Contribute to consolidated technical report; write web app and cloud assessment sections

Required Qualifications

- Minimum 4 years of web application penetration testing experience

- Burp Suite Pro proficiency must be primary testing tool

- Demonstrated experience with OWASP Top 10 methodology and WSTG (Web Security Testing Guide)

- Hands-on experience assessing Microsoft 365 tenants including Azure AD, Conditional Access, Exchange Online, and SharePoint permissions review

- Hands-on experience assessing Google Workspace Admin Console, sharing configurations, and third-party OAuth app exposure

- Experience producing web application findings reports with CVSS scores and remediation guidance

- US-based

Preferred Qualifications

- GWEB (GIAC Web Application Penetration Tester), OSWE, or eWPT/eWPTX certification

- Experience with K-12 or government web applications (student portals, SIS, LMS platforms)

- Familiarity with FERPA data exposure risk in education cloud environments

- Experience with API security testing (REST/GraphQL)

- Azure AD / Entra ID attack path experience (AADInternals, ROADtools)