Pen-tester - Product Security

What You'll Do:

Avalara's Offensive Security organization is looking for a penetration tester to join our security assessments team. As a member of our in-house pen-test team, your principal mission will be to conduct offensive pen-testing activities against our microservices, applications, infrastructure and data-layer services. You will work closely with our engineering groups to define pen-test scope, lead assessment engagements, and map assessment findings into engineering remediation plans, ultimately guiding our product security uplift activities. This is a unique opportunity for an experienced offensive pen-tester who is collaborative, and has a healthy sense of curiosity to join Avalara Engineering to make real positive impacts to our security posture, and help us improve our security designs in our next-gen of systems and services .

What Your Responsibilities Will Be:

• Conduct white-box and grey-box offensive penetration testing against Avalara's applications, microservices and web services

• Conduct network infrastructure, Public Cloud (AWS and GCP), AI, and data-layer offensive pen-testing

• Perform manual source code reviews and audits (manual and SCA/SAST code audits) as needed to support white-box assessments

• Be a subject matter expert and ambassador to Avalara Engineering for secure coding practices, penetration testing, platform security and all aspects of application and product security

• Perform any other application security or product security related activities or tasks as needed or directed

• Validate 3rd party external pen-test and crowd-sourced application security findings and work with our application security team to triage those across to our engineering teams.

What You'll Need to be Successful:

• An Offensive Security Certified Professional (OSCP) certification

• 5+ years of security assessment experience

• Possess a broad knowledge of attack vectors, exploits and mitigations that work at scale or may be linked together for chained attacks

• Experience with assessing with Cloud-native services, service meshes, and Kubernetes-platform based microservices

• Be able to apply unconventional thinking and problem-solve on the boundary of your knowledge base, learning new technologies or languages as needed to complete pen-test tasks

• Be able to think both offensively (like a hacker) and defensively (evaluating product security and design)

• Ability to create written work product, detailed technical findings documents, and pen-test reports

• Familiarity with industry-standard threat modelling, risk modelling and vulnerability classification

• Knowledge of LLM Top-10 and AI hacking experience is a plus

Avalara is an AI-first Company:

AI is embedded in our workflows, decision-making, and products. Success here requires embracing AI as an essential capability.

• You'll bring experience using AI and AI-related technologies, ready to thrive here.
• You'll apply AI every day to business challenges - improving efficiency, contributing solutions, and driving results for your team, our company, and our customers.
• You'll grow with AI by staying curious about new trends and best practices, and by sharing what you learn so others can benefit too.

How We'll Take Care of You:

Total Rewards

In addition to a great compensation package, paid time off, and paid parental leave, many Avalara employees are eligible for bonuses.

Health & Wellness

Benefits vary by location but generally include private medical, life, and disability insurance.

Inclusive culture and diversity

Avalara strongly supports diversity, equity, and inclusion, and is committed to integrating them into our business practices and our organizational culture. We also have a total of 8 employee-run resource groups, each with senior leadership and exec sponsorship.

What You Need To Know About Avalara:

We're defining the relationship between tax and tech.

We've already built an industry-leading cloud compliance platform, processing over 54 billion customer API calls and over 6.6 million tax returns a year. Our growth is real - we're a billion dollar business - and we're not slowing down until we've achieved our mission - to be part of every transaction in the world.

We're bright, innovative, and disruptive, like the orange we love to wear. It captures our quirky spirit and optimistic mindset. It shows off the culture we've designed, that empowers our people to win. We've been different from day one. Join us, and your career will be too.

We're An Equal Opportunity Employer

Supporting diversity and inclusion is a cornerstone of our company — we don't want people to fit into our culture, but to enrich it. All qualified candidates will receive consideration for employment without regard to race, color, creed, religion, age, gender, national orientation, disability, sexual orientation, US Veteran status, or any other factor protected by law. If you require any reasonable adjustments during the recruitment process, please let us know.