Security Tester

About the Role

Scrumconnect Consulting is looking for a Security Testing Engineer to ensure the security, resilience, and compliance. This role involves identifying vulnerabilities, mitigating security risks, and ensuring adherence to government security policies and DDAT frameworks. You will work closely with developers, security architects, and business stakeholders to embed security testing into Agile development workflows and DevSecOps pipelines.

As a Security Testing Engineer, you will conduct static and dynamic security assessments, penetration testing, and vulnerability analysis, ensuring that applications meet the highest security standards.

Key Responsibilities

1. Security Test Planning & Execution
   Develop, implement, and execute comprehensive security test plans for GOV.UK digital services.
   Identify security vulnerabilities through static and dynamic application security testing (SAST & DAST).
   Ensure security testing is seamlessly integrated into CI/CD pipelines and DevSecOps processes.
   Define security requirements and best practices, aligning with government security policies.
2. Functional & Non-Functional Security Testing
   Conduct penetration testing, API security testing, and infrastructure security assessments.
   Perform risk-based security testing to identify and mitigate OWASP Top Ten vulnerabilities.
   Validate the effectiveness of security controls such as RBAC (Role-Based Access Control), MFA (Multi-Factor Authentication), and API security mechanisms.
   Ensure compliance with GDPR, ISO 27001, and NCSC Cyber Essentials security standards.
3. Vulnerability Management & Defect Tracking
   Identify, document, and track security defects, working closely with development teams to resolve vulnerabilities.
   Provide detailed security test reports, including risk assessments and mitigation strategies.
   Collaborate with stakeholders to prioritize and remediate security findings.
4. Collaboration & Security Awareness
   Work closely with security architects, developers, and product teams to embed security in software development.
   Provide security awareness training and advocate secure coding practices across teams.
   Engage with GOV.UK security and compliance frameworks, ensuring security best practices are followed.
5. Test Reporting & Documentation
   Produce detailed security test reports, highlighting risks, vulnerabilities, and recommendations.
   Communicate security findings effectively to both technical and non-technical stakeholders.
   Maintain comprehensive documentation of security test cases, methodologies, and tools used.

Required Skills & Experience

1. Proven experience in security testing for web applications, APIs, and cloud environments.
2. Strong knowledge of OWASP Top Ten, CVE vulnerabilities, and threat modelling techniques.
3. Hands-on experience with security testing tools such as OWASP ZAP, Burp Suite, Nessus, Metasploit, Nikto, or equivalent.
4. Experience in API security testing using Postman, SoapUI, or REST-Assured.
5. Strong understanding of CI/CD security, DevSecOps, and cloud security best practices (Azure, AWS, GCP).
6. Ability to simulate attack scenarios and conduct penetration testing on applications and infrastructure.
7. Knowledge of database security testing, including writing security-focused SQL queries.
8. Familiarity with identity and access management (IAM), RBAC, MFA, JWT authentication, and OAuth 2.0 security mechanisms.
9. Strong risk assessment, problem-solving, and communication skills.
10. Awareness of UK government security frameworks, including Cyber Essentials and NCSC guidelines.

Nice to Have Skills

1. Experience working in UK public sector engagements.
2. Knowledge of User-Centric Design and GDS design system.
3. Familiarity with security analytics and data visualization tools like PowerBI.
4. Certified Agile Tester (CAT) or ISTQB Agile Tester Extension (CTFL-AT).
5. Strong understanding of cloud security posture management (CSPM) and SIEM tools (Splunk, ELK, Microsoft Sentinel).
6. Experience with security validation techniques for microservices and containerized applications (Kubernetes, Docker security hardening).