Senior Application Security (AppSec) Engineer- “pentester”

The candidate will be part of a software security team (AppSec) at Bentley Systems. The product security team’s main responsibility is the security of software created by Bentley. This includes hundreds of products in a wide variety of contexts and technologies: Cloud, Desktop, Mobile, C#, JavaScript, Node.js, single-page applications and Electron applications, Azure cloud services, Java web applications, and more. The successful candidate will have the opportunity to work in a truly DevSecOps environment and will work as part of a multinational, diverse team of remotely placed experts.

Responsibilities

• Continuous learning and researching advanced AppSec topics.
• Attack and defend Bentley’s cloud platform and other products (server, desktop, mobile, etc.).
• Identify and exploit vulnerabilities.
• Develop automations and internal tools (e.g. scan in release pipeline).
• Manage the bug bounty program.
• Coordinate with a network of security champions to improve the security of our products.
• Help colleagues in software development to improve coding.      

Required Skills

• Strong interest in software security and software development.
• Training in computer science, software engineering or related field of study or equivalent related experience
• 5+ years of development or security experience
• Methodical and detail-oriented but also curious enough to investigate anomalies when warranted
• Strong problem-solving capabilities using various technologies

Desired Skills

• In depth knowledge of OWASP Top10 and SANS Top 25
• Knowledge of heap exploitation techniques (especially Window heap)
• Knowledge of one or more Windows debuggers (ie: windbg, x64dbg)
• Knowledge of fuzzing tools
• Knowledge of web technologies (JavaScript, HTML5, HTTP, REST, SOAP, etc.)
• Knowledge of web security and debugging tools (ex: capture with Fiddler, Wireshark, etc)
• Knowledge of some of the following programming languages: C++, C# and Typescript
• Experience with pentesting tools like Burp Suite Pro, OWASP Zed Attack Proxy
• Experience with exploit code creation for web and native (C/C++) vulnerabilities
• Experience in and knowledge of coding in Assembly language (for attack payload creation)