Senior Security Engineer - Penetration Tester

Job DescriptionWe are looking for someone who is motivated and keenly interested in the security of applications. Someone willing to speak up, present, and collaborate as needed. Especially when it comes to our penetration testing program, red teaming, dynamic application security testing program, as well as our broader application security program. The Penetration Tester will be part of an experienced team of skilled penetration testers. You''ll participate in all phases of penetration testing as well as other individual and team-based work all focused on the information security of our enterprise. This is an exciting opportunity for an appropriately experienced penetration tester.* 100% Work at Home from any location in the United States.* We invest in your career development.* CVS has extensive Internet presence.* Protect money movement, Healthcare and other sensitive consumer information.* Be a part of transforming Healthcare in America.* Be a part of expanding opportunities to test Application Programming Interfaces (APIs), cloud, Industrial Control Systems (ICS), web tags, and Internet of Things (IoT).* Collaborate with many other bright and experienced security professionals, application developers and data scientists.* We proudly support and encourage people with military experience (active, veterans, reservists and National Guard) as well as military spouses to apply for CVS Health job opportunities.Pay RangeThe typical pay range for this role is:Minimum: 95,000Maximum: 209,000Please keep in mind that this range represents the pay range for all positions in the job grade within which this position falls. The actual salary offer will take into account a wide range of factors, including location.Required Qualifications* 8+ years of information security experience* 4+ years of penetration testing experience.* 8+years professional experience penetration testing both web applications, and networks.* 4+ years experience assessing web applications using automated and manual techniques to identify web application vulnerabilities.* 3+ years penetration test report writing.* 2+ years penetration test report review/QA experience (reviewing other testers reports).* 4+ years experience conveying/explaining penetration test results to clients, IT leaders, application teams, engineers, and analysts either technically or non-technically (dependent upon audience).COVID RequirementsCOVID-19 Vaccination RequirementCVS Health requires certain colleagues to be fully vaccinated against COVID-19 (including any booster shots if required), where allowable under the law, unless they are approved for a reasonable accommodation based on disability, medical condition, religious belief, or other legally recognized reasons that prevents them from being vaccinated.You are required to have received at least one COVID-19 shot prior to your first day of employment and to provide proof of your vaccination status or apply for a reasonable accommodation within the first 10 days of your employment. Please note that in some states and roles, you may be required to provide proof of full vaccination or an approved reasonable accommodation before you can begin to actively work.Preferred Qualifications* 8+ years application security program experience.* Certification(s) held include one or more of the following: GWAPT, GPEN, GXPN, OSWE, OSCP, or OSCE.* 2+ years providing technical penetration testing advice and feedback to other less experienced penetration testers.* 2+ years experience using AttackForge.* 3+ years professional application development experience.* Familiarity with the Secure SDLC* Understanding of web technologies and programming languages such as ASP.NET, Java, and JavaScript.* Experience with Burp Suite and one or more security testing products.* Understanding of the entire taxonomy of web application security vulnerabilities, and experience with exploitation of web application vulnerabilities.* Demonstrated experience executing on a task while also improving the process for executing that task.* Background demonstrates an evolving information technology skillset with an interest in penetration testing and information security.* Understanding of and experience with many types of vulnerabilities such as those in Industrial Control Systems (ICS) and Internet of Things (IoT).* Firmware assessment/hacking/testing experience is a plus.* Participation in Capture the Flags (CTFs) and/or Bug Bounties.* Participation in open source projects as well as publication of Common Vulnerabilities and Exposures (CVEs), security advisories, and exploits (Custom testing tools or scripts receives special consideration.)* Proven experience driving implementation of a tool or process.* Experience working with teams in large complex environments.* Willing to change, willing to be flexible, and ready to adapt (new roles, responsibilities, methodologies, procedures, etc.) as needed given the dynamic state of information/application security.EducationBachelor''s Degree or equivalent experience.Business OverviewBring your heart to CVS HealthEvery one of us at CVS Health shares a single, clear purpose: Bringing our heart to every moment of your health. This purpose guides our commitment to deliver enhanced human-centric health care for a rapidly changing world. Anchored in our brand - with heart at its center - our purpose sends a personal message that how we deliver our services is just as important as what we deliver.Our Heart At Work Behaviorsâ„¢ support this purpose. We want everyone who works at CVS Health to feel empowered by the role they play in transforming our culture and accelerating our ability to innovate and deliver solutions to make health care more personal, convenient and affordable.We strive to promote and sustain a culture of diversity, inclusion and belonging every day.CVS Health is an affirmative action employer, and is an equal opportunity employer, as are the physician-owned businesses for which CVS Health provides management services. We do not discriminate in recruiting, hiring, promotion, or any other personnel action based on race, ethnicity, color, national origin, sex/gender, sexual orientation, gender identity or expression, religion, age, disability, protected veteran status, or any other characteristic protected by applicable federal, state, or local law.

Created: 2025-11-15