Penetration Tester (Mobile, API & Application Security)
Job Description
A Penetration Tester specializing in mobile, API, and application security will perform rigorous testing and security assessments across mobile, web, API, and AI-enabled applications for U.S. Bank National Association. This onsite position is based in Irving, Texas, with a yearly salary range of USD 105,400 to 124,000. The role requires a strong foundation in security testing and collaboration with engineering teams to drive remediation.
Responsibilities
- Conduct penetration tests of mobile platforms (Android and iOS), web applications, and APIs using a mix of manual techniques and tooling.
- Identify security weaknesses and, when appropriate, demonstrate impact through controlled exploitation.
- Produce clear findings with risk ratings and remediation guidance for both technical and non-technical stakeholders.
- Apply established testing methodologies, standards, and playbooks while continuing to develop practical exploitation skills.
- Research emerging threats, tools, and techniques, including AI and application security risks, and apply learnings during assessments where applicable.
- Participate in security assessments of AI-enabled applications and services, including systems with machine learning models, APIs, or large language models (LLMs).
- Contribute to team initiatives such as process improvements, internal documentation, tool usage, and knowledge sharing.
- Collaborate with peers and stakeholders during engagements and remediation discussions.
Requirements
- Bachelor's degree in Engineering or Science, or an equivalent combination of education and work experience.
- Five or more years of experience in information security.
- Two or more years of experience in IT infrastructure management.
- Two or more years of experience in application architecture.
- Two or more years of experience in risk management.
- Two or more years of experience in data architecture.
- Two or more years of experience in middleware technology.
- Two or more years of experience in IT operations or project management.
- Three or more years of hands-on experience testing Android and/or iOS applications.
- Working knowledge of mobile platform security risks and common weaknesses.
- Familiarity with OWASP MASVS and MASTG.
- Practical understanding of the OWASP Top 10 and OWASP API Security Top 10.
- Experience identifying authentication, authorization, input validation, and business logic vulnerabilities.
- Proficiency with Burp Suite (Community or Pro), Postman, or Insomnia.
- Ability to perform manual testing beyond automated scanner output.
- Exposure to AWS and/or Azure environments.
- Basic familiarity with cloud-hosted or containerized application architectures.
- Working knowledge of HTTP/S, authentication and authorization (OAuth, JWT), and general networking concepts.
- Exposure to tools such as Nmap, Metasploit, and Kali Linux.
- Familiarity with AI and machine learning security concepts.
- Aware of AI-related risks, including prompt injection, insecure model or API access, and data leakage.
- Understanding of how AI security risks intersect with traditional application and API testing.
- Interest in contributing to light automation or scripting to improve testing efficiency.
- Ability to produce clear, well-structured written findings and remediation guidance.
- Comfortable discussing security findings with engineers, application owners, and security partners.
Technologies
- Burp Suite
- Postman
- Insomnia
- AWS
- Azure
- Nmap
- Metasploit
- Kali Linux
- Frida
- JADX
- ServiceNow
- Python
- Bash
- PowerShell
- OAuth
- JWT
- HTTP
- HTTP/S
Benefits
- Healthcare coverage includes medical, dental, and vision
- Basic and optional term life insurance
- Short-term and long-term disability insurance
- Pregnancy disability and parental leave
- 401(k) with employer-funded retirement plan
- Paid vacation ranging from two to five weeks based on salary grade and tenure
- Up to 11 paid holidays per year
- Adoption assistance
- Sick and Safe Leave accruals at one hour for every 30 hours worked, up to 80 hours per calendar year unless restricted by applicable law
E-Verify
U.S. Bank participates in the U.S. Department of Homeland Security E-Verify program in all facilities located in the United States and certain U.S. territories. The E-Verify program is an Internet-based employment eligibility verification system operated by the U.S. Citizenship and Immigration Services.
Similar Jobs
J
J
J