At Optiv, we're on a mission to help our clients make their businesses more secure. We're one of the fastest growing companies in a truly essential industry.
In your role at Optiv, you'll be inspired by a team of the brightest business and technical minds in cyber security. We are passionate champions for our clients, and know from experience that the best solutions for our clients' needs come from working hard together. As part of our team, your voice matters, and you will do important work that has impact, on people, businesses and nations. Our industry and our company move fast, and you can be sure that you will always have room to learn and grow. We're proud of our team and the important work we do to build confidence for a more connected world.
Optiv is a multi-disciplined consulting team with focus areas on network penetration, malware analysis, vulnerability research, hardware testing, operating system, mobile device, and application testing. The Application Security (AppSec) practice focuses on mobile and web application testing, and generally anything in Java, .Net, PHP or Web/Mobile frameworks
We expect a senior-level individual to have at least four years in a directly related role. Currently, we are looking for Consultants primarily in Seattle, Chicago, New York and the SF Bay, but given much of work is remote we would like to talk to you regardless of where you call home.
Optiv maintains an international client base which allows us to locate consultants across the country and around the globe. However, if you would be willing to relocate to one of our preferred US locales we do offer relocation assistance.
Travel: We quote out "up to 20%", but this really depends on where you live. If it's rural, I would expect to be on a plane occasionally; if you live in a major metropolitan area we can usually keep you within driving distance of your clients.
Salary: Better than industry averages, based on experience and talent. Talent is well compensated.
We pay out bonuses to the consultants based on utilization, which means if you stay at least 80% utilized you'll receive a quarterly bonus.
Office Life: Most of the team works from home or with some of their local coworkers on larger projects. If you want to come into the office every day this job may not be the best fit. We tend to hire experienced workers that have the ability to manage their time without constant supervision.
Required Education: We don't require a Computer Science degree, but plenty of the team has them. We always look at capabilities and experience first.
Hiring Process: You'll start out talking to the AppSec Practice Manager you would be working for. He'll walk through your resume with you and try to bring out the tangibles. Most of his questions are going to be trying to figure out where your consulting skills are and if you could work with our processes.
If the AppSec Manager hands you off, we'll give you a target for a quick web application assessment. You'll have 72 hours to go after a vulnerable app and write up the results. When you're done you'll have a call with 2-3 principal consultants on the team. Once we've walked through your report, we'll move onto a technical interview and the questions will be based on the work we perform. We aren't going to try out trick questions or ask you something that you could just Google. It's more about proving your experience and communicating your thought processes.
Things we like to see: CVE's, links to your con preso (or your con), tools, research papers, generally anything that can demonstrate you know your stuff when it comes to web and mobile applications.
Skills we expect:
Able to demonstrate a comprehensive application testing methodology. This means that you can go off a work plan that covers A-Z in terms of potential issues. This can be a problem for people that are used to run tool->get results or hunt and peck style testing.
Gray box application testing. Our normal app assessment approach is a full-knowledge gray box style where we have access to docs, source, a functioning app, and control of the environment. We do also perform straight code reviews or black box testing and all consultants need to be comfortable with both. Basically, you need be able to take advantage of those resources, when present, and not be hamstrung when they are not available.
Code review and static analysis. You should know how to approach a large code review and be experienced with current static analysis tools. You should be able to look at a codebase and prioritize code for top-down as well as create signatures for components that aren't covered with the base toolset.
Mobile application testing. You should understand the threat classes for mobile apps and preferably have performed assessments of mobile application on the iOS, WinPhone, and Android platforms.
Threat Modeling and SDL processes, as per the MS guidelines.
Secure SDLC for Agile / DevOps
Development experience in some of these areas:
.Net (C#/Net), Java, Ruby, PHP, Python, along with common dev frameworks such as Spring Core/Boot/MVC, Hibernate, JSF/JSP, Ruby On Rails, Sinatra, Entity Framework, WCF
We don't expect people to be experts in every area but you will have to demonstrate expertise in a few so that we can fit you with the appropriate projects.
We don't have an official scripting language, but the team generally tends to work in Ruby or Python for project tools.
Consulting skills. This is a consulting position, which means you will have to talk to people at some point and wear a nice shirt once in a while. We understand that security folks can be weird at times and we generally like weird at Optiv but you have to be able to rein it in when working with the clients.
Platform-wise we are a Mac shop.
Additional research experience in the following would also be a plus:
Bypass GeoLocation services, mainly used for on-line gaming / gambling.
Home appliance hacking (thermostat, washer/dryers, refrigerator, baby monitors, home security cameras).
Automotive - especially with Chevrolet's heavy marketing towards the Wifi kid friendly car.
Why you'll love it here:
If you are seeking a culture that supports growth, fosters success and moves the industry forward, find your place at Optiv! Optiv's mission is to deliver comprehensive, integrated cybersecurity programs in order to optimize customer security programs to be more effective, efficient, manageable and measurable. Our aim is to become the world's largest cybersecurity solutions integrator by leveraging our expertise in security technology, market leading services, and innovative approaches. We have served more than 12,000 clients of various sizes across multiple industries, we offer an extensive geographic footprint, and have premium partnerships with more than 350 of the leading security product manufacturers. Optiv is a privately-held company backed by KKR, a leading global private equity firm.
With Optiv you can expect:
Entrepreneurial and collaborative environment
A Competitive total rewards program
Professional training opportunities
Engaging and fun culture
Opportunity to work with industry leading, talented peers