Senior Web App Pen Tester (San Diego or Irvine)

About the Role

The Senior Web App Pen Tester will secure the software and applications that power the worldwide real estate market, collaborating with more than 1,000 software, QA, and operations engineers. The role involves threat modeling, white‑box security analysis, and grey‑box penetration testing, and works with development, DevOps, and security teams to embed security throughout the SDLC. The position is based in San Diego or Irvine, works on‑site Monday‑Thursday and remote on Friday. • Conduct penetration tests on web applications and underlying infrastructure using manual and automated techniques • Collaborate with software and product teams to ensure secure design and implementation during the SDLC • Utilize a variety of application security tools (DAST, SAST, SCA, credential scanning, IAC scanning) throughout development and production • Automate feedback loops to generate developer work items and trigger rescans after remediation • Recommend code changes to eliminate vulnerabilities • Integrate automated security testing at multiple stages within the CI/CD pipeline • Write comprehensive vulnerability reports that clearly convey risk to developers and leadership • Apply defense‑in‑depth strategies to mitigate application risk • Automate security tooling in CI/CD pipelines and IDEs (e.g., Veracode, CheckMarx, AppScan, X‑Ray, Synopsys, Snyk) • Communicate risk effectively to leadership and drive urgency for remediation • Coordinate with application teams to apply security‑by‑design principles • Mentor and train team members to prioritize security efforts • Implement security tools hands‑on within CI/CD pipelines • Test modern applications in cloud‑native tech stacks • Perform mobile application penetration testing

Key Responsibilities

• ▸penetration testing
• ▸ci/cd security
• ▸security tooling
• ▸vulnerability reporting
• ▸threat modeling
• ▸secure design

What You Bring

• Hold a Bachelor’s degree in Computer Science, Cybersecurity, or a related field • Have 3+ years of technical experience with at least 1 year dedicated to penetration testing • Possess experience in web application penetration testing and exploit development • Proficient in programming languages such as C#, Java, C/C++, Python, or Go • Skilled in scripting languages like Python, PowerShell, GoLang, Perl, JavaScript, .NET, API integration • Use DAST tools such as Metasploit, Burp Suite, OWASP ZAP, Acunetix • Hold relevant certifications (OSWA/OSWE, OSCP/OSEP, Hack the Box Bounty/Exploitation, INE eWPTX) or equivalent CTF/bug‑bounty experience • Demonstrate deep understanding of various assessment tools • Know infrastructure operations across databases, networks, and system administration • Self‑starter attitude to advance the application security program and follow through ideas to completion

Requirements

• ▸bachelor's
• ▸pen testing
• ▸web testing
• ▸python
• ▸burp suite
• ▸oscp

Benefits

CoStar offers a collaborative and innovative culture, generous compensation, performance‑based incentives, and extensive professional development resources such as internal training and tuition reimbursement. The benefits package includes comprehensive health coverage, 401(k) matching, employee stock purchase, paid time off, wellness programs, and access to diversity and inclusion employee resource groups. Employees also enjoy on‑site fitness facilities, complimentary snacks, and flexible work arrangements. CoStar welcomes all qualified U.S. candidates eligible to work full‑time, but does not provide visa sponsorship for this position. The company is an Equal Employment Opportunity employer and maintains a drug‑free workplace with pre‑employment substance‑abuse testing. • Competitive base salary ranging from $114,200 to $203,500 • Performance‑based incentives and employee stock purchase plan • Comprehensive healthcare coverage: medical, vision, dental, prescription drug • 401(k) retirement plan with matching contributions • Tuition reimbursement and internal training opportunities • Paid time off and flexible work schedule (Friday remote) • On‑site fitness center or reimbursed membership, wellness programs, yoga studio, Pelotons, personal training • Access to Diversity, Equity & Inclusion Employee Resource Groups • Complimentary gourmet coffee, tea, hot chocolate, fresh fruit, and healthy snacks

Work Environment

Office Full-Time