Senior Security Consultant, Application Security

About The Position

Requirements

• 5+ years in offensive security services, with at least 2–3 years focused on application security and source code review
• Hands-on engagement delivery across multiple AppSec disciplines — code review, application penetration testing, threat modeling, or SDLC consulting
• Deep code review expertise in at least two of: JavaScript / TypeScript (Node.js, modern frontends), Python (Django, Flask, FastAPI), Java (Spring, J2EE), C# / .NET (ASP.NET, Core), C / C++, Rust, GoLang. Working competence in additional languages a strong plus.
• Working knowledge of common framework patterns, ORM behavior, authentication and authorization libraries, cryptographic libraries, and the security pitfalls particular to each
• Familiarity with vulnerability classes
• Strong technical credibility and the comfort to operate as the senior voice on engagements
• Excellent written communication — you produce reports that developers act on rather than file
• Strong verbal communication, with the ability to both present as a subject matter expert in technical discussions and deliver complex concepts, results, etc. to a general audience
• Comfort moving between languages and stacks — specialists who insist on a single technology stack don't fit this role
• Collaborative mindset — AppSec engagements typically involve close coordination with delivery teams and client developers
• Genuine curiosity about how systems work, and patience for reading code carefully — code review consultants who succeed at IOActive are the ones who find the work interesting rather than tedious
• Relevant bachelor's degree or equivalent experience

Nice To Haves

• Familiarity with relevant standards and frameworks: OWASP ASVS, NIST SSDF, BSIMM, SAMM
• Relevant industry certifications strongly preferred: OSCP, OSWE, GWAPT, CSSLP, GWEB, or equivalent application-security focused credentials

Responsibilities

• Lead manual source code reviews on complex production codebases spanning web applications, mobile backends, APIs, and embedded systems
• Identify vulnerability classes ranging from common (injection, authentication and authorization flaws, SSRF, XSS, deserialization) to nuanced (race conditions, deserialization gadgets, cryptographic implementation flaws, business logic vulnerabilities, architectural weaknesses)
• Author findings reports that developers can act on: clear remediation guidance, working proof-of-concepts where appropriate, and architectural recommendations beyond the immediate fix
• Lead client developer workshops to explain findings and patterns, helping teams build security resilience rather than just fixing the listed issues
• Application penetration testing across web, API, and mobile targets, particularly where engagements span code review and dynamic testing
• Threat modeling on new product designs and existing systems using STRIDE, attack trees, or equivalent frameworks
• Secure design reviews of architecture, authentication systems, cryptographic implementations, and inter-service communication
• SDLC advisory engagements: helping clients integrate code review, threat modeling, and security testing into their development lifecycle (CI/CD, pull-request workflows, developer training)
• Serve as the senior technical voice in engagement status meetings, client workshops, technical deep-dives, and developer training sessions
• Build trusted technical relationships with client engineering leadership, AppSec teams, and security architects
• Translate technical findings for two distinct audiences: developers who need to fix the issue, and security leadership who need to understand the business risk and pattern
• Support pre-sales conversations with technical credibility — scoping calls, capability discussions, and proposal input
• Mentor junior and mid-level consultants in code review methodology, vulnerability research, and client engagement — even without direct reporting authority
• Contribute to IOActive's code review playbooks, tooling, methodologies, and report templates
• Identify opportunities to extend IOActive's AppSec capability — new tooling, target stacks, research directions, or service offerings
• Collaborate with adjacent practices (Red Team, Hardware/Silicon, Advisory) on composite engagements
• Contribute to IOActive's application security research — vulnerability discovery, novel attack techniques, framework- or platform-specific findings
• Build personal profile in the application security community: conference talks (Black Hat, DEF CON, OWASP Global, BSides, regional AppSec events), published research, working group participation
• Represent IOActive in AppSec industry conversations, OSS security efforts, and customer advisory engagements as opportunities arise

Benefits

• A chance to work with an industry leader in cyber security
• Access to world-class technical teams and research
• A high-energy, collaborative team that values innovation
• Flexibility—work remotely or from the office as needed
• Opportunities for travel
• Competitive compensation and performance-based incentives