What you'll do

As a principal application security analyst on our Offensive Security & Vulnerability Management team, you are responsible for:

• Vulnerability Research & Exploitation: Conduct in-depth research to discover new attack vectors and zero-day vulnerabilities in enterprise applications, systems, and third-party components. Develop proof-of-concept exploits to effectively demonstrate risk.
• Whitebox Penetration Testing: Perform comprehensive whitebox penetration tests, leveraging access to source code, design documentation, and internal system knowledge to uncover sophisticated security flaws that blackbox testing might miss.
• Source Code Review: Conduct manual and automated source code reviews across various programming languages (e.g., Java, C#, Python, JavaScript) to identify security vulnerabilities, misconfigurations, and adherence to secure coding practices.
• Third-Party Component Analysis: Evaluate the security of third-party libraries, frameworks, and open-source components integrated into Citi's applications. Identify known vulnerabilities (e.g., CVEs) and assess potential risks.
• Remediation Guidance: Provide clear, concise, and actionable remediation recommendations to development teams, offering expert advice on secure coding, configuration, and architectural solutions.
• Tooling & Automation: Utilize and contribute to the development of advanced security testing tools, static analysis (SAST), and dynamic analysis (DAST) solutions to improve efficiency and coverage.
• Reporting & Communication: Prepare detailed technical reports outlining findings, risk levels, and recommended mitigations for both technical and non-technical audiences.
• Mentorship & Knowledge Sharing: Mentor junior penetration testers and security engineers, sharing expertise in vulnerability research, source code analysis, and whitebox testing techniques.
• Stay Current: Continuously research and stay abreast of the latest security threats, vulnerabilities, attack techniques, and industry best practices.

Job Skills/Qualifications:

• 8+ years of experience in penetration testing, ethical hacking, or application security, with a significant focus on whitebox testing and/or source code review.
• Proven expertise in vulnerability research, including the ability to identify novel vulnerabilities and develop reliable exploits.
• Strong proficiency in at least one major programming language (e.g., Java, C#, Python) and familiarity with others.
• In-depth understanding of common web application vulnerabilities (OWASP Top 10) and API security best practices.
• Experience with static application security testing (SAST) tools and dynamic application security testing (DAST) tools.
• Strong understanding of cloud computing platforms (AWS, Google Cloud, Azure) and experience in securing applications and infrastructure deployed in these environments.
• Experience with microservices architecture and securing containerized applications (e.g., Docker, Kubernetes).
• Experience with mobile application penetration testing (iOS and Android).
• Excellent written and verbal communication skills, with the ability to articulate complex security issues to diverse audiences.
• Ability to work independently and as part of a team in a fast-paced, dynamic environment.
• Relevant industry certifications such as OSCE, GIAC GWAPT, GPEN, GXPN, or similar.