Grubhub’s Product Security organization is looking for a Penetration Tester to help build our Offensive Testing & Adversary Emulation capabilities. Your primary task will be to conduct offensive pen-testing activities against our microservices, applications, infrastructure and data-layer systems. You will work closely with our engineering groups to define pen-test scope, lead assessment engagements, and map assessment findings into engineering plans of action for remediation, ultimately guiding our product security uplift activities. This is a unique opportunity for an experienced offensive pen-tester who is collaborative, and has a healthy sense of curiosity to join Grubhub Security to make real positive impacts to our security posture, and help us improve our security designs so that we can deliver trustworthy experiences across the entire Grubhub ecosystem.
This role is based in Chicago, IL and is required 2 days per week in the office.
The Impact You Will Make:
- You will enhance the overall security posture of Grubhub by identifying and mitigating security vulnerabilities proactively.
- Streamline security testing processes by automating penetration tests as part of the CI/CD pipeline, reducing manual effort and improving engineering operational excellence.
- Contribute to a culture of cybersecurity awareness and continuous improvement within the organization, enabling Grubhub to launch and sustain key business initiatives with minimal risk.
Key Responsibilities:
- Conduct white-box and gray-box offensive penetration testing against Grubhub’s mobile applications, front-end & back-end microservices and web services
- Conduct network infrastructure, Public Cloud (AWS, GCP and Azure), and data-layer offensive pen-testing in support of annual PCI-DSS requirements
- Perform security assessments on mobile application products and services.
- Perform manual source code reviews and audits (manual and SCA/SAST code audits) as needed
- Be a subject matter expert and ambassador to Grubhub Engineering for secure coding practices, penetration testing, mobile platform security and all aspects of application and product security
- Perform any other application security or product security related activities or tasks as needed or directed
- Validate 3rd party external pen-test and crowd-sourced application security findings and work with our Appsec team to triage those across to our engineering teams
What You Bring To The Table:
- Bachelors degree in Computer Science, Information Technology, or related field (or equivalent experience).
- 3+ years of relevant engineering or security assessment experience
- Proven experience in manual penetration testing, including web applications, APIs, micro-services, networks, and cloud environments.
- A broad knowledge of attack vectors, exploits and mitigations that work at scale or may be linked together for chained attacks
- Intermediate-level experience with Java, Go, or Python with demonstrable experience in conducting code reviews to identify security deficiencies at the code-level.
- Ability to create and write scripts to automate redundant activities
- Familiarity with security testing tools such as Burp Suite, Nmap, etc.
- Strong understanding of CI/CD pipelines and experience with integrating security testing into automated build processes.
- Knowledge of security controls (like EDR) evasion techniques and ability to apply that knowledge as part of an advanced security assessment.
- Working familiarity with version control systems (Git) and issue tracking tools (Jira) and ability to define + support your commitments within an Agile working model.
- Ability to create written work product, detailed technical findings documents, and pen-test reports.
- Great interpersonal skills, deep technical ability, and a history of successful execution in the assessments industry.
- Excellent communication skills and ability to work collaboratively in a team environment.
- Ability to fully participate in our on-call rotation as a service owner
Preferred Qualifications:
- A pen-test certification such as Offensive Security Certified Professional (OSCP), OSWE, OSCE, GPEN, GMOB, GWAPT, GXPN, eWAPT, eMAPT and/or willing to work towards ultimately obtaining one within the first year as part of your career path
And Of Course, Perks!
- Flexible PTO. Grubhub employees enjoy a generous amount of time to recharge.
- Health and Wellness. Excellent medical, dental and vision benefits, 401k matching, employee network groups and paid parental leave are just a few of our programs to support your overall well-being.
- Compensation. You'll receive a highly-competitive compensation package with eligibility for generous incentives, bonuses, commission, and RSUs.
- Free Meals. Our employees get a weekly Grubhub credit to enjoy and support local restaurants.
- Social Impact. We believe in giving back through programs like the Grubhub Community Relief Fund, and provide our employees opportunities to support causes that are important to them.
Grubhub is an equal opportunity employer. We welcome diversity and encourage a workplace that is just as diverse as the customers we serve. We evaluate qualified applicants without regard to race, color, religion, age, sex, sexual orientation, gender identity, national origin, disability, veteran status, and other legally protected characteristics. If you’re applying for a job in the U.S. and need a reasonable accommodation for any part of the employment process, please send an email to TalentAcquisition@grubhub.com and let us know the nature of your request and contact information. Please note that only those inquiries concerning a request for reasonable accommodation will be responded to from this email address.
If you are a resident of the State of California and would like a copy of our CA privacy notice, please email privacy@grubhub.com.