**Senior Consultant, Application Security**
- Denver, CO
Created in 2015 from the merger of Accuvant and FishNet Security, Optiv is the largest holistic pure-play cyber security solutions provider in North America. We help clients plan, build and run successful cyber security programs that achieve business objectives through our depth and breadth of cyber security offerings, extensive capabilities and proven expertise in cyber security strategy, managed security services, incident response, risk and compliance, security consulting, training and support, integration and architecture services, and security technology. Learn more on www.optiv.com.
Optiv is a multi-disciplined consulting team with focus areas on network penetration, malware analysis, vulnerability research, hardware testing, operating system, mobile device, and application testing. The Software Security group focuses on mobile and web application testing, and generally anything in Java, .Net, PHP or Web/Mobile frameworks
We expect a senior-level individual to have at least four years in a directly related role. Currently we are looking for Consultants primarily in Seattle, Chicago, New York and the SF Bay, but given as the majority of work is remote we would like to talk to you regardless of where you call home.
- Optiv maintains an international client base which allows us to locate consultants across the country and around the globe. However, if you would be willing to relocate to one of our preferred US locales we do offer relocation assistance.
We quote out "up to 20%", but this really depends on where you live. If it's rural, I would expect to be on a plane once in a while; if you live in a major metropolitan area we can usually keep you within driving distance of your clients.
Better than industry averages, based on experience and talent. Talent is well compensated.
We pay out bonus to the consultants based on utilization, which means if you stay at least 70% utilized you’ll receive a quarterly bonus.
Most of the team works from home or with some of their local coworkers on larger projects. If you want to come into the office every day this job may not be the best fit. We tend to hire experienced workers that have the ability to manage their time without constant supervision.
We don't require a Computer Science degree, but plenty of the team has them. We always look at capabilities and experience first.
You'll start out talking to the SSG Practice Manager you would be working for. He'll walk through your resume with you and try to bring out the tangibles. Most of his questions are going to be trying to figure out where your consulting skills are and if you could work with our processes.
If the SSG Manager hands you off, we'll give you a target for a quick web application assessment. You'll have 72 hours to go after a vulnerable app and write up the results. When you're done you'll have a call with 2-3 principal consultants on the team. Once we’ve walked through your report, we’ll move onto a technical interview and the questions will be based on the work we perform. We aren't going to try out trick questions or ask you something that you could just Google. It's more about proving your experience and communicating your thought processes.
Things we like to see:
CVE's, links to your con preso (or your con), tools, research papers, generally anything that can demonstrate you know your stuff when it comes to web and mobile applications.
Skills we expect:
- Able to demonstrate a comprehensive application testing methodology. This means that you can go off a work plan that covers A-Z in terms of potential issues. This can be a problem for people that are used to run tool->get results or hunt and peck style testing.
- Gray box application testing. Our normal app assessment approach is a full-knowledge gray box style where we have access to docs, source, a functioning app, and control of the environment. We do also perform straight code reviews or black box testing and all consultants need to be comfortable with both. Basically you need be able to take advantage of those resources, when present, and not be hamstrung when they are not available.
- Code review and static analysis. You should know how to approach a large code review and be experienced with current static analysis tools. You should be able to look at a codebase and prioritize code for top-down as well as create signatures for components that aren’t covered with the base toolset.
- Mobile application testing. You should understand the threat classes for mobile apps and preferably have performed assessments of mobile application on the iOS, WinPhone, and Android platforms.
- Threat Modeling and SDL processes, as per the MS guidelines.
- Secure SDLC for Agile / DevOps
Development experience in some of these areas:
- .Net (C#/Net), Java, Ruby, PHP, Python, along with common dev frameworks such as Spring Core/Boot/MVC, Hibernate, JSF/JSP, Ruby On Rails, Sinatra, Entity Framework, WCF
We don't expect people to be experts in every area but you will have to demonstrate expertise in a few so that we can fit you with the appropriate projects.
- We don't have an official scripting language, but the team generally tends to work in Ruby or Python for project tools.
- Consulting skills. This is a consulting position, which means you will have to talk to people at some point and wear a nice shirt once in a while. We understand that security folks can be weird at times and we generally like weird at Optiv but you have to be able to rein it in when working with the clients.
- Platform-wise we are a Mac shop.
Additional research experience in the following would also be a plus:
- Bypass GeoLocation services, mainly used for on-line gaming / gambling.
- Home appliance hacking (thermostat, washer/dryers, refrigerator, baby monitors, home security cameras).
- Automotive - especially with Chevrolet’s heavy marketing towards the Wifi kid friendly car.
Optiv is an Equal Opportunity Employer. We are committed to a work environment where everyone is treated with respect. It is our policy to recruit, employ, retain, promote, terminate and otherwise treat any and all employees and job applicants on the basis of merit, qualifications and competence. We will provide equal employment opportunities without regard to race, color, age, sex, religion, national origin, disability, military or veteran status, sexual orientation, gender identity or expression, marital status, genetic information, or any other legally protected status or characteristic.
We will also take affirmative action as called for by applicable laws and executive orders to ensure that minority group individuals, females, disabled veterans, recently separated veterans, other protected veterans, Armed Forces Service Medal veterans, and qualified disabled persons are introduced into our workforce and considered for promotional opportunities.
This policy prohibits retaliation or adverse employment action against anyone who exercises his or her rights under this policy or any anti-discrimination law, who cooperates in any company investigation, or who participates in any investigation or proceeding by any governmental agency.