Security Consultant (Secure Code Review Practice)

NetSPI is the proactive security solution used to discover, prioritize, and remediate security vulnerabilities of the highest importance, so businesses can protect what matters most. NetSPI secures the most trusted brands on Earth through Penetration Testing as a Service (PTaaS), External Attack Surface Management (EASM), Cyber Asset Attack Surface Management (CAASM), and Breach and Attack Simulation (BAS). Leveraging a unique combination of dedicated security experts, intelligent process, and advanced technology, NetSPI brings a proactive approach to cybersecurity with more clarity, speed, and scale than ever before.

NetSPI is on an exciting growth journey as we disrupt and improve the proactive security market. We are looking for individuals with a collaborative, innovative, and customer-first mindset to join our team. Learn more about our award-winning workplace culture and get to know our A-Team at www.netspi.com/careers.

NetSPI is seeking Security Consultants for our Secure Code Review practice. These individuals will primarily serve as a resource for delivery of client assessment services and contribute to practice development. Individuals who are passionate about findings vulnerabilities in source code and identifying secure coding best practices should consider applying.

This position requires an understanding of technology, enterprise security and risk management. Incumbent should have some experience with application security assessment and testing, as well as demonstrating competencies in problem solving, client service, written and verbal communications, and project execution. Incumbent should adhere to high standards of ethics and integrity and display professionalism. Finally, incumbent should possess strong consulting skills.

 Responsibilities:

• Proven ability to identify security vulnerabilities in source code across various programming languages and frameworks including Java, .Net, JavaScript, C/C++, Python, and more.
• Experience using, configuring, and triaging findings from Static Application Security Testing (SAST) tools like Checkmarx and Semgrep.
• Proven track record in delivering several assessments involving static analysis and manual code review. The consultant excels in taint tracking within the code's data and control flow (source to sink analysis) and are skilled in identifying any mitigation controls that may affect the exploitability of a particular finding.
• Experience in identifying and reviewing third-party vulnerabilities in source code using tools such as Snyk, Semgrep and Black Duck. The consultant is adept in researching CVEs to identify exploitability factors and perform reachability analysis to determine if a particular library poses a risk.
• Skilled in using build tools (Maven, Gradle) & package managers (npm, pip).
• Proven ability to work effectively with developers and application stakeholders. Consultant excels at providing clear remediation guidance and contextual explanations for identified vulnerabilities.
• Leveraging automated and manual analysis to identify suspicious patterns in source code and identify potential points of interest that can be exploited by malicious actors to launch attack or exfiltrate data.
• Train and assist developers in describing and remediating existing vulnerabilities.                                                            

Minimum Qualifications:

• 1-6 years of hands-on Source Code Review experience.
• Familiarity with secure coding guidelines and ability to analyze and review source code in at least one server-side programming language.
• Knowledge of exploiting web applications and understanding of the OWASP Top 10 issues, including ability to identify and remediate vulnerabilities in source code.
• Bachelor’s degree in computer science/ engineering or equivalent.

Preferred Qualifications:

• Experience in detecting, analyzing, and providing recommendation guidance on security vulnerabilities in at least one of the following languages: Java, C#, PHP, Python, Perl, C/C++, SQL, JavaScript.
• Hands-on experience conducting security focused static analysis using commercial SAST tools such as Checkmarx, Appscan Source, Veracode, Coverity, Fortify and SonarQube.
• Good to have programming experience in at least one server-side programming language.
• Ability to explain risk and business impact of security vulnerabilities in source code to variety of audience.
• Master’s degree in computer science/ engineering or equivalent.

We are an equal employment opportunity employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, national origin, disability status, protected veteran status or any other characteristic protected by law.