We’re looking for an Application Security Consultant, ideally with a few years already working in the field. However, we encourage you to still apply if you think you can succeed in the role, even if you don’t have the listed experience.

Who we are:
Zerosource is an Australian application security consultancy that specialises in providing security services across the development lifecycle so our clients can focus on what they do best – building awesome software.  

Our clients range from some of Australia’s biggest corporations to small and medium enterprise. They come from a wide range of industries, including retail, government, software engineering and fintech.

The role:
As an Application Security Consultant, you will be part of a growing team of hands-on technical consultants, working with our clients to build security tools and processes into their software development lifecycle. Supported by Principal Consultants, you will be working directly with the client’s engineering teams to make a real impact on their overall security posture.

While we prefer previous application security experience, we will also consider applications from software engineers with a keen interest in security looking to make the next step in their career.

What you will be doing:

• Conducting security assessments on web, cloud, mobile, embedded and thick-client applications; including dynamic testing and reviewing source code for security vulnerabilities
• Triaging results from automated security tools to prioritise findings and eliminate false positives
• Suggesting remediations for identified vulnerabilities and communicating the advice to product engineering teams
• Publishing guidance and teaching developers about secure coding practices  
• Reviewing application architecture to ensure security is built-in via appropriate security controls
• Developing tools to automate security testing, vulnerability management and monitoring
• Implementing processes and security tools in the software development lifecycle
• Assisting engineers to conduct threat modelling exercises

Essential to the role:

• An investigative mind that loves research, problem solving and analytical thinking  
• Great verbal and written communication skills, with the ability to communicate technical concepts to both technical and non-technical audiences
• The ability to work well in a collaborative team environment
• Being comfortable with talking to stakeholders in a variety of technical, management and executive roles

Ideally you will have:

• An understanding of software vulnerabilities and cybersecurity fundamentals (knowing the OWASP Top 10 is good, but a solid understanding of input validation and defence-in-depth is even better)
• Hands-on experience in software development, preferably in a professional or enterprise environment
• Coding proficiency in an enterprise language (Java, C#) and/or scripting languages (Python, Bash)

Optional, but highly regarded:

• Experience with web application security testing
• Familiarity with a range of software development languages and frameworks
• Familiarity with containerised workloads (Kubernetes, Docker)
• Experience in automated DevOps environments
• Experience with enterprise cloud environments – AWS, GCP or Azure
• Knowledge of common security standards and frameworks (ISO, NIST, CIS, OWASP)
• Security certifications (eWPT, OCSP, OSWE, Security+)

Benefits and Perks:

• Learn from an experienced team with a workplace culture that embraces diversity, inclusiveness, collaboration and respect.  
• Flexible working conditions, remote or hybrid (Sydney or Canberra physical locations)
• One extra week of leave per year in addition to your standard entitlements
• An annual allowance for training courses, or subscription learning like Pentester Lab or AppSec Engineer
• We provide you with a company laptop, and you can choose between x64 or Mac hardware
• $500 a year healthy lifestyle bonuses for wellbeing activities, courses, memberships or equipment