Penetration Tester (Java/ Ethical Hacking focus) - Hybrid - Contract to Hire

Onsite role in Albany, NY – two days per week Wednesday/Thursday + every other Friday

Overview:

A Penetration Tester with a focus on Java application security is sought to identify, exploit, and fix vulnerabilities in Java applications to guard against cyber threats.

Key Responsibilities:

- Conduct penetration tests and vulnerability assessments for Java applications and infrastructure.

- Identify security flaws in Java code using automated and manual methods.

- Create and use custom exploits to test application security, simulating attacker tactics.

- Collaborate with Development teams to understand application architecture and find security weaknesses early.

- Collaborate with Testing teams to integrate with manual and automation testing.

- Provide guidance on secure coding and how to fix vulnerabilities.

- Stay updated on Java security threats and best practices.

- Help improve secure development processes (SDLC).

- Assist in responding to security incidents related to Java vulnerabilities, current published NIST CVE.

- Clearly document and report findings, including technical details, risk assessment, and recommended solutions.

- Communicate findings and recommendations to both technical and non-technical staff.

- Contribute to security policies for Java development and deployment.

- Manipulate URLs, query parameters and Application browser data to look for penetration avenues. Validate and asses’ browser tokens and cache manipulation and Production vs. none prod architecture.

- Familiar with MITRE ATT&CK Framework.

REQUIREMENTS:

- Bachelor's degree in Computer Science, Information Security, or a related field.

- Minimum of 6 years of Development/Security experience

- Experience in Penetration Testing/Ethical Hacking with a focus on Java application security.

- Strong knowledge of Java programming and its security practices as well as scripting experience.

- Core Java coding experience.

- Previous job background as an engineer and Dev Sec position on a large scale public enterprise scale application.

- Proficiency in web application security principles (e.g., OWASP).

- Knowledge of common web vulnerabilities (e.g., SQL injection, XSS) and exploit techniques.

- Experience with penetration testing tools like Burp Suite, Metasploit.

- Familiarity with Fortify on Demand SAST and DAST tools.

- Strong understanding of cryptography and secure communication protocols (e.g., SSL/TLS).

- Excellent problem-solving and analytical skills.

- Strong communication skills.

- High ethical standards and confidentiality.

Preferred Qualifications:

- Certifications such as OSCP, GWAPT, GXPN, GPEN, LPT, CEH, CISSP or other industry security certifications.

- Experience with scripting languages (e.g., Python, Bash).

- Experience with secure code review for Java.

- Familiarity with cloud security testing.

- Experience with mobile application penetration testing.

- Knowledge of regulations like HIPAA.

- Experience with API testing