Job Description

The Role

As a Penetration Test Engineer at Section, you will design and execute security testing strategies across applications, APIs, infrastructure, and cloud environments, integrating tightly with engineering squads and platform teams. The role blends hands-on pen testing with security architecture guidance, secure SDLC enablement, and automation that elevates security posture at scale. Success looks like measurable risk reduction, faster secure releases, and a culture of continuous security improvement across distributed, multicultural teams in Southeast Asia and beyond.

Job Description and Responsibilities

Own the penetration testing lifecycle

● Plan, scope, and execute black/grey/white-box tests for web, mobile, microservices, and APIs.

● Perform secure code reviews in partnership with engineering leads.

Integrate security into DevSecOps

● Embed automated security testing into CI/CD (SAST/DAST/IAST/SCA), define gates, and tune pipelines for low false positives.

● Build and maintain reusable scripts, playbooks, and baselines for continuous security checks.

Findings management and remediation

● Produce clear, prioritized reports with reproduction steps, exploit details, and business risk context.

● Partner with developers to reproduce issues, validate fixes, and drive root-cause remediation.

Compliance and governance

● Support security audits, client assessments, and evidence collection.

● Map findings to frameworks and best practices (OWASP ASVS, Top 10, MAS TRM, CIS Benchmarks, NIST CSF).

Job Requirements

Experience

● 2–4 years in offensive security, penetration testing, including hands-on application and cloud testing.

● Proven experience embedding security in agile delivery and CI/CD environments.

Technical skills

● Strong in web/app/API testing: authentication/authorization flaws, injection, deserialization, SSRF, IDOR, XSS, etc.

● Cloud and infrastructure: Cloud security (IAM, network segmentation, key/secret management), containers/Kubernetes fundamentals.

● Proficiency with tools and frameworks: Burp Suite Pro, Nmap, Metasploit, Postman, SQLMap, Hydra, PowerShell/Bash/Python, Git.

● Familiarity with SAST/DAST/IAST/SCA tools and integrating them into CI/CD.

Education and Credentials

● Bachelor’s degree in Computer Science, Information Security, or related field; equivalent experience considered.

Preferred Qualifications

Certifications: 

● OSCP strongly preferred; OSWE, OSEP, OSWA , GXPN, GPEN, or similar are advantageous.

Experience with:

● E-commerce, fintech, public sector, or regulated environments (e.g., MAS TRM, PCI DSS).

● Data security for analytics platforms and warehouses (Snowflake governance, masking, RBAC, data exfiltration testing).

● Kubernetes security and supply chain security (SBOM, SLSA).

● Building security automation and custom tooling;

● Performing vulnerability prioritization using the CVSS framework to accurately evaluate the severity and business impact of security findings.

Skills