At Optiv, we’re on a mission to help our clients make their businesses more secure. We’re one of the fastest growing companies in a truly essential industry.

In your role at Optiv, you’ll be inspired by a team of the brightest business and technical minds in cyber security. We are passionate champions for our clients, and know from experience that the best solutions for our clients’ needs come from working hard together. As part of our team, your voice matters, and you will do important work that has impact, on people, businesses and nations. Our industry and our company move fast, and you can be sure that you will always have room to learn and grow. We’re proud of our team and the important work we do to build confidence for a more connected world.

Optiv is a multi-disciplined consulting team with focus areas on network penetration, malware analysis, vulnerability research, hardware testing, operating system, mobile device, and application testing.  The Software Security group focuses on mobile and web application testing, and generally anything in Java, .Net, PHP or Web/Mobile frameworks

We expect a senior-level individual to have at least four years in a directly related role. Currently we are looking for Consultants primarily in Seattle, Chicago, New York and the SF Bay, but given as the majority of work is remote we would like to talk to you regardless of where you call home.  

• Optiv maintains an international client base which allows us to locate consultants across the country and around the globe.  However, if you would be willing to relocate to one of our preferred US locales we do offer relocation assistance.

Travel:

We quote out "up to 20%", but this really depends on where you live.  If it's rural, I would expect to be on a plane once in a while; if you live in a major metropolitan area we can usually keep you within driving distance of your clients.  

Salary:

Better than industry averages, based on experience and talent. Talent is well compensated.

Bonus:

We pay out bonus to the consultants based on utilization, which means if you stay at least 70% utilized you’ll receive a quarterly bonus.

Office Life:

Most of the team works from home or with some of their local coworkers on larger projects.  If you want to come into the office every day this job may not be the best fit.  We tend to hire experienced workers that have the ability to manage their time without constant supervision. 

Desired Certifications:

None required. 

Required Education:

We don't require a Computer Science degree, but plenty of the team has them.  We always look at capabilities and experience first.

Hiring Process:

You'll start out talking to the SSG Practice Manager you would be working for. He'll walk through your resume with you and try to bring out the tangibles.  Most of his questions are going to be trying to figure out where your consulting skills are and if you could work with our processes.

If the SSG Manager hands you off, we'll give you a target for a quick web application assessment.  You'll have 72 hours to go after a vulnerable app and write up the results.  When you're done you'll have a call with 2-3 principal consultants on the team.  Once we’ve walked through your report, we’ll move onto a technical interview and the questions will be based on the work we perform.  We aren't going to try out trick questions or ask you something that you could just Google.  It's more about proving your experience and communicating your thought processes.

Things we like to see:

CVE's, links to your con preso (or your con), tools, research papers, generally anything that can demonstrate you know your stuff when it comes to web and mobile applications.

Skills we expect:

• Able to demonstrate a comprehensive application testing methodology.  This means that you can go off a work plan that covers A-Z in terms of potential issues.  This can be a problem for people that are used to run tool->get results or hunt and peck style testing.
• Gray box application testing.  Our normal app assessment approach is a full-knowledge gray box style where we have access to docs, source, a functioning app, and control of the environment.  We do also perform straight code reviews or black box testing and all consultants need to be comfortable with both.  Basically you need be able to take advantage of those resources, when present, and not be hamstrung when they are not available.
• Code review and static analysis.  You should know how to approach a large code review and be experienced with current static analysis tools.  You should be able to look at a codebase and prioritize code for top-down as well as create signatures for components that aren’t covered with the base toolset. 
• Mobile application testing.  You should understand the threat classes for mobile apps and preferably have performed assessments of mobile application on the iOS, WinPhone, and Android platforms. 
• Threat Modeling and SDL processes, as per the MS guidelines. 
• Secure SDLC for Agile / DevOps

Development experience in some of these areas:

• JavaScript
• SQL
• Java
• C#
• Python
• js
• AngularJS
• Swift
• Objective-C
• .Net (C#/Net), Java, Ruby, PHP, Python, along with common dev frameworks such as Spring Core/Boot/MVC, Hibernate, JSF/JSP, Ruby On Rails, Sinatra, Entity Framework, WCF

We don't expect people to be experts in every area but you will have to demonstrate expertise in a few so that we can fit you with the appropriate projects.

• We don't have an official scripting language, but the team generally tends to work in Ruby or Python for project tools.
• Consulting skills.  This is a consulting position, which means you will have to talk to people at some point and wear a nice shirt once in a while.  We understand that security folks can be weird at times and we generally like weird at Optiv but you have to be able to rein it in when working with the clients.    
• Platform-wise we are a Mac shop.

Additional research experience in the following would also be a plus:

• Bypass GeoLocation services, mainly used for on-line gaming / gambling. 
• Home appliance hacking (thermostat, washer/dryers, refrigerator, baby monitors, home security cameras). 
• Automotive - especially with Chevrolet’s heavy marketing towards the Wifi kid friendly car.

*LI-JS1

All your information will be kept confidential according to EEO guidelines.