Lead Web App Pen Tester

About the Role

The Lead Web App Pen Tester will secure the software and applications that power the worldwide real estate market. Working with over 1,000 software, QA, and operations engineers, the role involves threat modeling, white‑box analysis, and grey‑box penetration testing, and will partner with development, DevOps, and security teams to embed security throughout the SDLC. The position is based in Arlington, VA or Richmond, VA, with a hybrid schedule (on‑site Monday‑Thursday, remote Friday). • Conduct penetration tests on web applications and underlying infrastructure using manual and automated techniques • Work with software and product teams to ensure secure design and implementation during the SDLC • Consume application security tools (DAST, SAST, SCA, credential scanning, IAC scanning) to secure web applications in development and production • Automate feedback loops to generate developer work items and trigger rescans when issues are resolved • Recommend code changes to eliminate vulnerabilities • Automate security testing at multiple stages within the CI/CD pipeline

Key Responsibilities

• ▸penetration testing
• ▸secure design
• ▸app scanning
• ▸ci/cd automation
• ▸threat modeling
• ▸code review

What You Bring

• Demonstrate risk of detected issues to technical and non‑technical audiences • Bachelor’s degree in Computer Science, Cybersecurity, or related field from an accredited university • 5+ years of technical experience, including 3+ years in penetration testing • Proven experience in web application penetration testing and exploiting attack chains • Ability to write comprehensive vulnerability reports for developers and leadership • Knowledge of defense‑in‑depth strategies and common programming languages (C#, Java, C/C++, Python, Go) • Scripting/programming skills (Python, PowerShell, Go, Perl, JavaScript, .NET, API integration) • Experience automating security tooling in CI/CD pipelines using SAST/SCA solutions (e.g., Veracode, CheckMarx, AppScan, X‑Ray, Synopsys, Snyk) • Proficiency with DAST tools such as Metasploit, Burp Suite, OWASP ZAP, Acunetix • Relevant professional certifications (OSWA/OSWE, OSCP/OSEP, Hack the Box credentials, INE eWPTX) or equivalent CTF/bug bounty experience • Deep understanding of assessment tools and infrastructure operations (databases, network, system administration) • Strong communication skills to convey risk to leadership and drive remediation urgency • Experience coordinating with application teams to implement security‑by‑design principles • Ability to mentor and train team members on security priorities • Self‑starter attitude to advance application security programs and see ideas through • Hands‑on experience integrating security tools into CI/CD pipelines • Experience testing cloud‑native applications and mobile app penetration testing

Requirements

• ▸penetration testing
• ▸python
• ▸ci/cd
• ▸sast
• ▸oscp
• ▸bachelor's

Benefits

CoStar fosters a collaborative and innovative culture, offering generous compensation, performance incentives, and extensive professional development resources such as internal training and tuition reimbursement. The company is committed to diversity, equity, and inclusion, providing numerous employee resource groups and a supportive work environment. • Competitive compensation with performance‑based incentives • Comprehensive health coverage (medical, vision, dental, prescription) • Life, legal, and supplemental insurance • Mental health counseling (virtual and in‑person) for individuals and families • 401(k) with matching contributions and employee stock purchase plan • Paid time off and tuition reimbursement • On‑site or reimbursed fitness center membership, yoga studio, Peloton, personal training, group classes • Access to Diversity, Equity & Inclusion employee resource groups • Complimentary gourmet coffee, tea, hot chocolate, fresh fruit, and healthy snacks • Commuter and parking benefits

Work Environment

Office Full-Time