Job Description: Cyber Risk Application Security Consultant
Attack Surface Management (ASM) Services
Overview
Are you interested in improving the cyber and organizational risk profiles of leading companies? Do you want to deliver Attack Surface Management (ASM) services, identifying vulnerable IT assets and weak security configurations in real time? If you thrive in dynamic environments and are passionate about cybersecurity, Deloitte’s ASM team could be the place for you.
Deloitte’s ASM business is committed to transparency, innovation, collaboration, and sustainability. We deliver industry-leading services through fresh thinking and creative approaches, collaborating across the organization to support our clients. Our goal is to be the premier integrated services provider transforming the cybersecurity marketplace.
Role: Cyber Risk Attack Surface Consultant
As a Consultant, you will:
- Work with global teams to identify vulnerabilities and rogue assets (e.g., shadow IT).
- Help clients achieve business growth while managing risk.
Key Responsibilities
- Conduct vulnerability assessments and manual penetration testing for web, API, thick client, and mobile applications.
- Perform secure code reviews and analyze false positives from industry-standard tools.
- Respond to ad-hoc reporting and research requests.
- Develop and implement application security policies and procedures.
- Identify and prioritize security vulnerabilities.
- Coordinate with development and operations teams on remediation plans.
- Quickly understand and deliver on company and client requirements.
- Participate in regular reporting for clients, partners, and internal teams.
- Adhere to internal operational security and Deloitte policies.
Required Qualifications
- Bachelor’s degree or higher in Computer Science, or equivalent experience.
- 3–5 years of hands-on experience in:
- Application security
- Vulnerability assessment
- Penetration testing
- Mobile application security
- Thick client and Web API security assessments
- Strong understanding of OWASP Top 10 and related vulnerabilities.
- Experience in manual assessment and exploitation (e.g., Blind SQLi, XXE, SSRF, Insecure Deserialization, HTTP Request Smuggling).
- Understanding of OAUTHv2/OpenID standards and business logic vulnerabilities.
- Experience with secure code review (OWASP Secure Coding Practices).
- Proficiency with tools: Burp Suite, Fiddler, Sysinternals, Veracode, DnSpy, OllyDbg, IDA Pro, EchoMirage, Wireshark, Apktool, Jadx-gui, Frida, etc.
- Ability to perform manual penetration testing and use automated tools.
- Excellent technical report writing skills.
- Knowledge of web application components (frontend, backend, databases, application servers).
- Understanding of web development technologies (HTML, CSS, JavaScript, PHP, Java, .NET, backend databases).
- Experience with application security architecture review and threat modeling.
- Basic concepts of reverse engineering and memory analysis.
- Understanding of networking protocols (TCP/IP, DNS, HTTP/S).
- Familiarity with vulnerability classification (CVE/CVSS).
- Certifications: CISSP, OSCP, OSWE, BSCP, GWAPT.
Preferred Qualifications
- Proficiency in web and mobile application security assessments, penetration testing, and secure code review.
- Relevant publications (blogs, tools, conference presentations, CVEs).
- Preferred certifications: OSWE, BSCP.
- Experience with automation and scripting (Python).
- Outstanding English written and oral communication skills.
- Strong understanding of web, mobile, and microservices vulnerabilities.
- Knowledge of malicious code operation and exploitation.
- Strong analytical and problem-solving skills.
- Self-motivated and eager to learn new attack vectors.
- Desire to deeply understand the what, why, and how of security vulnerabilities.
If you are passionate about cybersecurity and ready to make an impact, Deloitte’s ASM team offers a collaborative and innovative environment to grow your career.