SAP Security Engineering (Penetration Tester), IS&T Enterprise Systems

Apple

About The Position

In a fast-evolving digital world, our team seeks a Security Researcher with an offensive security mindset to tackle emerging cyber threats within Apple’s critical ERP environment. You will play a pivotal role in safeguarding our dynamic, hybrid enterprise systems, which underpin Apple’s supply chain, treasury, and customer experiences. This unique opportunity focuses on shifting security left by relentlessly pursuing and identifying vulnerabilities early and often within the development lifecycle. You will apply cutting-edge offensive security techniques, code analysis, and penetration testing to generate meaningful data that drives the evolution of secure development standards. You’ll be joining a spirited and supportive team of security experts that are passionate about protecting Apple’s most valuable asset—it’s customers. This role offers an unparalleled opportunity for an early-career offensive security professional to become a recognized expert in a highly specialized and critical domain, with significant impact on a global scale. If you possess the vital offensive security skills, an insatiable desire to find vulnerabilities in sophisticated systems, a passion for ethical hacking, and a strong curiosity for how enterprise systems function, we would love to meet you. DESCRIPTION AS A SECURITY RESEARCHER, YOU CAN EXPECT TO: Conduct advanced offensive security testing across Apple’s hybrid SAP landscape, including: Manual penetration testing of custom ABAP & Java applications, SAP Fiori apps, web applications, APIs, and mobile interfaces. Vulnerability research and testing within SAP S/4HANA, ECC, BTP services, Ariba, Commerce Cloud, Signavio, LeanIX, and other integrated cloud-native systems. Security assessments of underlying infrastructure and cloud environments supporting SAP. Perform deep-dive source code reviews of sophisticated applications to identify security flaws and architectural weaknesses. Develop custom scripts, tools, and proof-of-concept exploits to augment penetration testing activities, automate vulnerability discovery, and demonstrate impact. Proactively identify and research emerging threats and attack vectors relevant to enterprise systems and the SAP ecosystem. Document findings in high-quality, actionable reports and presentations, clearly communicating technical vulnerabilities, their business impact, and recommended remediations to engineering teams across the organization. Collaborate closely with engineering and development teams to provide security advice, improve secure coding practices, and integrate security early into the development lifecycle (shift-left). Assemble and analyze threat & vulnerability data to highlight issues and trends, and author enhanced development standards and security requirements. Contribute to the team’s security knowledge base, sharing expertise, developing technical documentation, and shaping testing methodologies. Continuously learn and develop expertise in offensive security techniques and the intricacies of the SAP ecosystem.

Requirements

0-2 years of experience in offensive security, penetration testing, vulnerability research, or a related field
0-2 years of experience in web application security, API security, system and infrastructure security, and common attack techniques.
0-2 years of experience in reading, understanding, and finding vulnerabilities in sophisticated codebases (e.g., ABAP, Java, JavaScript, Go).
0-2 years of experience in at least one scripting or programming language (e.g., Python, PowerShell, Bash, Go, Ruby, JavaScript (Node.js)) for security automation and tool development.
Bachelor’s degree or equivalent in Computer Science, Cybersecurity, Information Systems, or a related technical field.

Nice To Haves

Relevant offensive security certifications (e.g., OSCP, OSWE, OSWP, eJPT) are highly regarded.
Experience with CTFs, hacking labs, bug bounty programs, or public security research/CVEs.
Knowledge of cloud architecture and security principles (e.g., AWS, Azure, GCP, SAP BTP).
Familiarity with modern cybersecurity concepts including AI/ML applications in security, cryptography, and prompt engineering for security tasks.
Experience with data visualization and communication tools (e.g., Keynote, draw.io (http://draw.io/), Miro, Adobe Illustrator) to heighten the storytelling impact of your discoveries.
Proficiency in MacOS and other Unix-based systems.
A degree combining technology and humanities (e.g., Computer Science with a minor in Ethics or Philosophy) is a plus.
Internships, research projects, open-source contributions, CTF participation, or bug bounty success are highly valued.
A profound passion for information security, particularly in penetration testing and vulnerability discovery.
An insatiable curiosity for how complex enterprise systems work, with a mandatory desire to learn and understand the SAP ecosystem. (No prior SAP expertise required, but a strong aptitude and willingness to dive deep into this domain is essential).
Experience with or a strong interest in learning ABAP is a significant plus.
Strong analytical, problem-solving, and critical thinking skills, with the ability to analyze complex challenges and produce creative solutions.
Excellent written and verbal communication skills, with the ability to effectively communicate complex technical concepts and their business impact to diverse audiences.
Ability to learn new skills, concepts, and technologies rapidly, and to grasp large, sophisticated systems while context-switching as needed.
A strong understanding of fundamental computing, database, networking, and security concepts.
An appreciation for the ethical and societal implications of technology and a commitment to responsible innovation.

Responsibilities

Conduct advanced offensive security testing across Apple’s hybrid SAP landscape, including: Manual penetration testing of custom ABAP & Java applications, SAP Fiori apps, web applications, APIs, and mobile interfaces.
Vulnerability research and testing within SAP S/4HANA, ECC, BTP services, Ariba, Commerce Cloud, Signavio, LeanIX, and other integrated cloud-native systems.
Security assessments of underlying infrastructure and cloud environments supporting SAP.
Perform deep-dive source code reviews of sophisticated applications to identify security flaws and architectural weaknesses.
Develop custom scripts, tools, and proof-of-concept exploits to augment penetration testing activities, automate vulnerability discovery, and demonstrate impact.
Proactively identify and research emerging threats and attack vectors relevant to enterprise systems and the SAP ecosystem.
Document findings in high-quality, actionable reports and presentations, clearly communicating technical vulnerabilities, their business impact, and recommended remediations to engineering teams across the organization.
Collaborate closely with engineering and development teams to provide security advice, improve secure coding practices, and integrate security early into the development lifecycle (shift-left).
Assemble and analyze threat & vulnerability data to highlight issues and trends, and author enhanced development standards and security requirements.
Contribute to the team’s security knowledge base, sharing expertise, developing technical documentation, and shaping testing methodologies.
Continuously learn and develop expertise in offensive security techniques and the intricacies of the SAP ecosystem.