Penetration Tester at ASM Research, Accenture Federal Services Annapolis, MD

Job Overview

Application Penetration Tester at ASM Research, an Accenture Federal Services Company located in Annapolis, MD. In this role you will safeguard web applications and REST APIs by applying deep knowledge of OWASP Top
10 and SANS
25 to identify, mitigate, and remediate security vulnerabilities.

• Perform thorough security assessments of third‑party libraries and analyze dependencies.
• Conduct automated and manual code reviews of Java, Scala, JavaScript and Spring Framework applications.
• Identify security issues such as CSRF, XSS, SQL Injection and Privilege Escalation, and provide actionable recommendations for remediation.
• Execute dynamic and penetration testing of web applications and REST APIs using Burp Suite Pro, Postman/Bruno, and other relevant tools.
• Analyze scan reports from SAST, DAST and SCA tools and translate findings into workable improvement plans.
• Write comprehensive reports detailing findings, outcomes and proposals for system security enhancement.
• Serve as a liaison between development teams and stakeholders to communicate security requirements and ensure they are incorporated early in the software development lifecycle.
• Participate in software security architecture and design reviews, and integrate security tools into CI/CD pipelines.

• Serve as liaison between development teams and stakeholders to understand and formulate security requirements.
• Define, maintain and enforce application security best practices.
• Deep understanding of OWASP Top
  10 and SANS
  25.
• Perform third‑party library security assessments and dependency analysis.
• Conduct vulnerability assessment and code review to identify security vulnerabilities (CSRF, XSS, SQL Injection, Privilege Escalation) and recommend remediation.
• Analyze scan reports from SAST, DAST and SCA tools to identify issues and provide recommendations.
• Conduct static, dynamic and penetration security testing of Web Applications and REST APIs.
• Perform software security architecture and design reviews.
• Write comprehensive reports with assessment findings and improvement propositions.
• Identify and present vulnerabilities to application owners and recommend remediation.
• Knowledge of scripting for integration and automation of security tools within Dev Ops CI/CD processes.

• 3+ years in secure code review, especially for Scala, Java, JavaScript and Spring Framework.
• 3+ years practical experience with SAST and DAST testing.
• 3+ years hands‑on experience with manual penetration testing of web applications and REST APIs using Burp Suite Pro and Postman/Bruno.
• Deep understanding of secure coding best practices and Dev Sec Ops  principles.
• Proficiency in OWASP Top
  10 and SANS
  25 testing guidelines.
• Experience with CI/CD, AWS security principles, Jenkins and Git Hub.

GPEN, GWAPT, OSCP or CompTIA Pen Test.

General compensation guidelines vary based on location, skill set, education, certifications, client requirements, contract specifics, government clearance level and years of experience. The compensation displayed for this role serves as a general guideline unique to each position and is part of ASM's overall compensation and benefits package.

As described in “Knowledge,

Skills and Abilities

,” employees must perform light office duties and may be required to lift up to 50 pounds or undertake some travel. Reasonable accommodations may be made for qualified individuals with disabilities.

The preceding job description provides a general overview of the role. It is not intended to be an exhaustive inventory of all duties, responsibilities or qualifications required for this position.

ASM maintains a policy that race, color, religion, sex, disability, age, sexual orientation or national origin will not be considered in any personnel or management decisions. All recruitment, hiring, training and promotion for all job classifications are conducted without regard to these characteristics. ASM affirms its commitment to equal employment opportunity.