Penetration Tester
General Dynamics Information Technology · United States · 5 days ago
RemoteRemoteInformation Technology$123k–$167k/yrFull-time
Key Responsibilities
- Perform application, API, and cloud penetration tests on CMM systems prior to ATO submission.
- Conduct web, mobile, API, and microservices security testing using industry-standard tools and manual exploitation techniques.
- Execute AWS cloud penetration testing within approved boundaries (IAM, S3, Lambda, API Gateway, ECS/EKS, networking).
- Perform static and dynamic analysis, including code review for security vulnerabilities.
- Conduct credentialed and uncredentialed scans, privilege escalation testing, and lateral movement analysis.
- Validate implementation of NIST 800-53 controls, including AC, AU, IA, SC, SI, and CM families.
- Support RMF Step 3 (Security Assessment) activities and provide evidence for ATO packages.
- Identify vulnerabilities across application layers, cloud infrastructure, and CI/CD pipelines.
- Work with developers, cloud engineers, and DevSecOps teams to validate fixes and retest vulnerabilities.
- Provide detailed remediation guidance aligned with secure coding and cloud security best practices.
- Track findings in Jira or equivalent tools and ensure closure prior to ATO milestones.
- Prepare Security Assessment Reports (SAR), penetration test summaries, and risk findings for AO stakeholders.
- Document exploitation steps, proof-of-concepts, and risk severity aligned with federal scoring methodologies.
- Contribute to System Security Plans (SSP), POA&Ms, and ATO evidence packages.
- Support pre-ATO readiness reviews, including control validation and security walkthroughs.
- Participate in tabletop exercises, threat modeling sessions, and architecture reviews.
- Validate system resilience through stress, failover, and adversarial resilience testing.
- Ensure compliance with federal security standards, including NIST, FISMA, and AO-specific guidelines.
- Work closely with development teams to integrate security testing into Agile sprints.
- Provide security insights during sprint planning, backlog refinement, and release readiness reviews.
- Support secure CI/CD pipeline enhancements, including automated security scanning.
Job Qualifications
- 8+ years of experience in penetration testing, application security, or ethical hacking security roles.
- Experience documenting test plans, test procedures, and detailed security findings.
- Experience supporting federal security assessments or enterprise-scale security testing.
- Hands-on experience performing penetration tests on web applications, APIs, microservices, and cloud environments.
- Strong proficiency with tools such as Burp Suite, OWASP ZAP, Metasploit, Nmap, Nessus, Nikto, K6 Security, or custom scripts.
- Experience testing applications built with NodeJS, ReactJS, REST APIs, and microservices.
- Strong understanding of AWS security, including IAM, VPC, S3, Lambda, API Gateway, ECS/EKS, CloudTrail, and CloudWatch.
- Experience with NIST 800-53, RMF, FedRAMP, or federal ATO processes.
- Ability to interpret logs, metrics, and security telemetry to identify attack paths.
- Familiarity with SIEM and monitoring tools such as Datadog, ELK, CloudWatch, Grafana.
- Experience with container security (Docker, Kubernetes, OpenShift).
- Understanding of network security, distributed tracing, and adversarial testing techniques.
- Strong analytical, communication, and documentation skills.