Penetration Tester

We are seeking a skilled Penetration Tester with strong experience in CI/CD pipeline security to identify, assess, and mitigate security vulnerabilities across applications, infrastructure, and automated deployment environments. The role focuses on proactive security testing, secure DevOps practices, and strengthening systems against evolving threats.

Key Responsibilities

• Conduct penetration testing on web applications, APIs, networks, and cloud environments.

• Perform security assessments of CI/CD pipelines, including build, test, and deployment workflows.

• Identify vulnerabilities related to source code repositories, automation tools, container images, and secrets management.

• Test authentication, authorization, session management, and access controls.

• Assess API security, including token handling, rate limiting, and authorization flaws.

• Execute static (SAST), dynamic (DAST), and dependency security testing within CI/CD processes.

• Validate security of containerized environments (Docker, Kubernetes).

• Simulate real-world attack scenarios and document findings with clear remediation guidance.

• Collaborate with development and DevOps teams to implement secure-by-design practices.

• Support incident response investigations and post-incident analysis when required.

Required Skills & Experience

• 2+ years of experience in penetration testing, application security, or ethical hacking.

• Strong understanding of CI/CD pipelines and DevSecOps methodologies.

• Hands-on experience securing tools such as GitHub Actions, GitLab CI, Jenkins, Azure DevOps, or similar.

• Proficiency in web and API security testing (OWASP Top 10, OWASP API Top 10).

• Experience with authentication mechanisms (JWT, OAuth2, SSO).

• Knowledge of common vulnerabilities: SQLi, XSS, CSRF, SSRF, IDOR, RCE, misconfigurations.

• Familiarity with Linux environments, networking concepts, and cloud security fundamentals.

Tools & Technologies

• Penetration testing tools: Burp Suite, Metasploit, Nmap, OWASP ZAP, Nikto.

• CI/CD security tools: Snyk, Trivy, SonarQube, Dependabot, GitGuardian.

• Container and cloud security tools (experience preferred).

• Scripting knowledge in Python, Bash, or PowerShell is an advantage.