Sr Penetration Tester

The driving force behind our success has always been the people of AspenTech. What drives us, is our aspiration, our desire and ambition to keep pushing the envelope, overcoming any hurdle, challenging the status quo to continually find a better way. You will experience these qualities of passion, pride and aspiration in many ways — from a rich set of career development programs to support of community service projects to social events that foster fun and relationship building across our global community.

The RoleThe Senior Application Penetration Tester will enhance our vigilant protection of applications by performing penetration test to validate product resiliency against emerging threats. This role will assist in prioritization, pen test planning, execution, reporting, findings remediation tracking and support developer remediation. Penetration testing will help validate security requirements, designs and controls across desktop application, web application and cloud applications.
The key objective is to drive Application Penetration Testing during the Secure Development Lifecyle. Key security practices which are part of the Secure Development Lifecycle include: Product Security Requirements, Risk Assessments, Threat Intelligence, Threat Models, Secure Architecture/Design Reviews, security scanner triage, vulnerability management, product security emergency response support and support the Security Champion Program.
Under the direction of the VP of Product Security this role is a key member for day-to-day operations of Product Security at Aspen Technology. This role will be a thought leader to help provide actionable findings, reproduce vulnerabilities, provide best practices to development teams, and provide support to strategic security initiatives.

Your Impact

• Drive Application Security Pen Test planning, execution, reporting, findings remediation tracking and support developer remediation. Penetration testing will help validate security requirements, designs and controls across desktop application, web application and cloud applications.
• Drive Application Security penetration testing across the AspenTech Product Portfolio. Provide actionable reports which teams can leverage for improving our application security posture.
• Monitor emerging attacks, threat actors, attacker methods (tools, tactics, techniques, and procedures), security best practices, and common application weaknesses.
• Responsible for supporting the design, implementation, oversight of Product Secure Development Lifecycle. Including aspects such as security requirements, secure architecture/design, risk assessments, threat models, security scanning, triage and vulnerability management, and product security validation/verification.
• Maintains a deep understanding of current issues in the realm of information security. Subscribes to major industry newsgroups and mailing lists and assess the impact of all emerging issues on systems and practices at Aspen Technology.
• Monitors security bulletins and alerts from all Aspen Technology’s information system vendors. Evaluates vulnerability impact and formulates and executes risk mitigation plans for product security.
• Ability to assess security and potentially leverage Machine Learning and AI solutions. This may include OWAS Top 10 LLM, MITRE ATLAS, or Threat Modeling of ML/AI solutions. Where appropriate recommend opportunities to leverage AI in the Product Security Department.
• Member of the AspenTech Security Emergency Response Team (ASERT) providing expert analysis of security customer reported security incidents. Works with information resource owners during and after security incidents; work with product teams for analysis; recommends best practices and solutions. Where appropriate, works with product teams, technology teams, client support and customer contacts.
• Occasional after hours and weekend work to perform tasks that cannot be done during business hours.

What You'll Need

• Bachelor’s degree (B.A./B.S.) or equivalent in computer science or technical equivalent discipline from an accredited college or university required.
• 8+ years of experience in IT required.
• 6+ years of experience in an information security role or experience with security and development teams. Relevant information security certifications preferred, including CISSP, CISM, CISA, CCSP, CSSL, CEH, Security+ and GPEN.
• Experience performing black/white/gray box penetration testing activities manually and leveraging automation tools.
• Ability to drive security Application Penetration Testing for applications on desktop, web deployments and cloud environments. This includes API’s across various technology stacks, including emphasis in cloud based testing methodologies.
• Ability to manage penetration testing end to end. This includes assisting in the prioritization, pen test plan development, Pen test execution, pen test reporting, and pen test remediation treatment tracking.
• Ensure security requirements are implemented within various stages of the system development lifecycle process; work closely with development teams to pen test new features within internally developed application as part of our secure development lifecycle. This could also include security integration testing across applications or with 3rd party technologies.
• Assist in the cultural awareness/adoption on application security best practices, metrics, and strategy where possible.
• Experience with Penetration Testing, Application/Product Security, Risk Assessments, Threat Models, Secure Architecture/Design, Security Scanning. (SAST, DAST, SCA, cloud security configuration scanning).
• Experience with cloud solutions such as Azure and AWS - Experience with security policy, procedures, tools, services, and cloud security models.
• Preferable exposure to the following: ISA 62443-4-1, NIST 800-53, ISO 27001, ISO 27002, ISO 27017, Cloud Security Alliance (CSA), Cybersecurity and Infrastructure Security Agency (CISA), SANs, OWASP, CWE 25.
• Desired domain knowledge and/or certification: CISSP, CCSP, CSSLP, CEH, SANS GIAC, GCPN, GPEN, OSCP.