Sr. Application Security Researcher in Test (Dynamic)

OPENTEXT 
OpenText is a global leader in information management, where innovation, creativity, and collaboration are the key components of our corporate culture. As a member of our team, you will have the opportunity to partner with the most highly regarded companies in the world, tackle complex issues, and contribute to projects that shape the future of digital transformation.

WHO WE ARE:

At OpenText, everything we do is based on a simple idea: The fastest way to get results is to build on what you have. Our software solutions enable organizations to do just that. Secure and scalable, with analytics built-in, they bridge the gap between existing and emerging IT—fast-tracking digital transformations across DevOps, Hybrid IT, Security, and Predictive Analytics. In the race to innovate, OpenText customers have a clear advantage.  Our portfolio spans the following areas: DevOps | IT Operations| Cloud | Security | Info Governance | Big Data, Machine Learning, & Analytics

About Our Team:

The Software Security Research (SSR) Team specializes in approaching security from the perspective of how we build and use software.

Our team is responsible for conducting security research which leads to enhanced security products as well as contributions to the Security Research Blog, whitepapers, conference presentations, and annual Cyber Risk Report. Furthermore, our team has identified new types of software vulnerabilities, defined the taxonomy used by all Fortify products, and highlighted broad security problems in development practices.

Fortify SSR is seeking a self-driven enterprise Lead Application Security Researcher-in-Test who understands that security is more than firewalls and encryption.

We are looking for people with web development and application security experience who are energized to work within a start-up like environment, but with the benefits of Open Text’s resources. We are looking for individuals who are self-motivated, able to deliver under pressure, and interested in working within a group with global influence. The job requires work on complex problems/projects where analysis of situations or data requires an in-depth evaluation of multiple factors.

Software security is becoming a bigger concern as more and more organizations are experiencing embarrassing public incidents with large losses of data.

What you’ll be doing

• Continually learn new Web technologies, protocols, languages, frameworks, and vulnerabilities
• Investigate and implement techniques to exploit Web vulnerabilities (e.g., penetration testing)
• Extract the essence of known vulnerabilities (e.g., CVEs)
• Develop exemplary Web applications and systems with vulnerabilities
• Keep up with and assess the latest trends in software security 
• Collaborating with security researchers, quality assurance, and engineering teams

What you’ll bring

• Bachelor’s degree in relevant Computer Science, Cyber Security, or Engineering program
• A passion for application security and specifically how software vulnerabilities occur (e.g., SQLi, XSS, JNDI Injection, etc.)
• Strong communication and analytical skills
• 5+ years of experience in a software/security engineering role, or in a software development role with a strong focus in enterprise security (ideally with C# .NET)
• Must have working knowledge of Web application development technologies (e.g. HTTP(S), HTML5, JavaScript/TypeScript, Python, Java, C#, ASP.NET, PHP, Apache Web Server, Apache Tomcat, IIS, NGINX etc.)
• Strong working knowledge of Linux and Windows operating systems and related shell scripting environments (e.g., BASH, PowerShell, etc.)
• Experience working with modern Web technologies (e.g., GraphQL, REST APIs, gRPC, Spring, Django, SOAP, etc.)
• Working knowledge of tools such as web proxies, Wireshark, etc. 
• Working knowledge of TCP/IP, TLS/SSL protocols, and cipher suites
• Experience with Common Weakness Enumeration (CWE) and Common Vulnerabilities and Exposures (CVE)

Nice to have:

• Prior experience as a penetration tester (e.g., using Fortify WebInspect, Burp Suite, etc.)
• Prior experience working in a large enterprise software development environment (e.g., agile, scrum)
• Experience creating Capture the Flag (CTF) challenges
• Knowledge of industry standards and taxonomies (e.g., NIST SP 800-53, DISA STIG, CAPEC) as well as best practices and methodologies (e.g., OWASP Top 10, OWASP ASVS)
• Source code auditing experience (especially Fortify SCA)
• Experience working with and configuring virtual machines and containers (e.g., vCenter, Kubernetes, Docker, etc.)
• Data science or AI experience

OpenText's efforts to build an inclusive work environment go beyond simply complying with applicable laws. Our Employment Equity and Diversity Policy provides direction on maintaining a working environment that is inclusive of everyone, regardless of culture, national origin, race, color, gender, gender identification, sexual orientation, family status, age, veteran status, disability, religion, or other basis protected by applicable laws. If you need assistance and/or a reasonable accommodation due to a disability during the application or recruiting process, please contact us at hr@opentext.com.