Penetration Tester - Remote

Job Information

CSAA Insurance Group (CSAA IG), a AAA insurer, is one of the top personal lines property and casualty insurance groups in the U.S. Our employees proudly live our core beliefs and fulfill our enduring purpose to help members prevent, prepare for and recover from life's uncertainties, and we're proud of the culture we create together. As we commit to progress over perfection, we recognize that every day is an opportunity to be innovative and adaptable. At CSAA IG, we hire good people for a brighter tomorrow. We are actively hiring for a Penetration Tester! Join us and support CSAA IG in achieving our goals.

Your Role : Are you a highly skilled Security professional that has a passion for identifying, assessing, and managing threats, vulnerabilities, and associated risks to enterprise information assets and applications? Bring your proficiency to help us craft and mature our Vulnerability and Offensive Security program. Work closely with our information technology teams to identify and reduce security risks in our IT infrastructure and business applications. You bring to this position a high-level of security expertise and a deep understanding of desktop, server, application and data storage vulnerabilities and how to discover and exploit them in a controlled environment. You'll take the lead and act as a subject matter expert for penetration testing and attack simulation in our data centers, cloud environments and critical business applications, helping us improve our overall threat posture. Help us re-think what it means to be a secure insurance provider in a fast-changing, highly competitive market.

Your work :

Conduct infrastructure, web application, API, and mobile application penetration testing.

Develop, document and administer the entire penetration testing lifecycle during engagements.

Conduct breach and attack simulation operations against CSAA systems to identify gaps in prevention, detection, or response.

Research, develop, and apply TTPs of relevant threat actors to simulated attack scenarios.

Provide subject matter expertise on the remediation of discovered vulnerabilities and gaps in security response.

Leverage threat intelligence to hunt for indicators of compromise and vulnerabilities.

Develop, deploy, manage and improve breach and attack simulation tools and related processes.

Design, develop and manage red and blue team exercises and processes contributing to purple team evaluation and response.

Provide team guidance and mentoring as a subject matter expert in purple team activities.

Required Experience, Education and Skills

Bachelor’s degree (in Information Technology or a related discipline) or equivalent experience

6 or more years of Information Technology and Security experience

5 or more years of hands-on penetration testing related experience related to infrastructure and web applications.

2 or more years hands-on experience with breach and attack simulation tools

Proficient knowledge of web development, including but not limited to Ruby, advanced JavaScript libraries (React, Angular, Knockout), Node.JS, JQuery, Object-Oriented Design, Web Services (REST / SOAP)

Professional experience with any of the following : Java, .NET, AWS, Functional programming, SQL, MongoDB, CouchDB, Neo4J, Hadoop, Cassandra, DynamoDB, ElasticSearch, Solr

Expert knowledge of OWASP Top 10 and ability to articulate web security risks.

Experience with MITRE ATT&CK framework and adversary tactics, techniques and procedures

Solid understanding of penetration testing standards and process, including the development of documentation such as rules of engagement, scope, and remediation reports

Familiarity with Information Security risk ranking scales and derivation.

Broad knowledge of IT Security technologies and a solid understanding of architecture, design, deployment and management of information systems

Experience testing solutions deployed in a public cloud environment (IaaS, PaaS, SaaS)

Recent experience with Agile development / Scrum teams and operating in a Kanban model.

Direct experience with common change management procedures and platforms

Solid understanding of TCP / IP, DNS, HTTP, HTTPS, VPN, SQL and other database technologies

CISSP, CEH, OSCP, GWAPT, GPEN, or other penetration testing and security-related certifications are highly desired.

What would make us excited about you?

Actively shapes our company culture (e.g., participating in employee resource groups, volunteering, etc.)

Lives into cultural norms (e.g., willing to have cameras when it matters : helping onboard new team members, building relationships, etc.)

Travels as needed for role, including divisional / team meetings and other in-person meetings

Fulfills business needs, which may include investing extra time, helping other teams, etc

CSAA IG Careers

At CSAA IG, we’re proudly devoted to protecting our customers, our employees, our communities, and the world at large. We are on a climate journey to continue to do better for our people, our business, and our planet. Taking bold action and leading by example. We are citizens for a changing world, and we continually change to meet it.

Join us if you…

BELIEVE in a mission focused on building a community of service, rooted in inclusion and belonging.

COMMIT to being there for our customers and employees.

CREATE a sense of purpose that serves the greater good through innovation.

Recognition : We offer a total compensation package, performance bonus, 401(k) with a company match, and so much more!