Security Tester

London, United Kingdom Posted on 24/02/2025

Job Description: Security Testing Engineer

Location: Remote with occasional travel as required

Employment Type: Permanent

About the Role

Scrumconnect Consulting is looking for a Security Testing Engineer to ensure the security, resilience, and compliance of GOV.UK digital services. This role involves identifying vulnerabilities, mitigating security risks, and ensuring adherence to government security policies and DDAT frameworks. You will work closely with developers, security architects, and business stakeholders to embed security testing into Agile development workflows and DevSecOps pipelines.

As a Security Testing Engineer, you will conduct static and dynamic security assessments, penetration testing, and vulnerability analysis, ensuring that applications meet the highest security standards.

Key Responsibilities
1. Security Test Planning & Execution

Develop, implement, and execute comprehensive security test plans for GOV.UK digital services.

Identify security vulnerabilities through static and dynamic application security testing (SAST & DAST).

Ensure security testing is seamlessly integrated into CI/CD pipelines and DevSecOps processes.

Define security requirements and best practices, aligning with government security policies.

2. Functional & Non-Functional Security Testing

Conduct penetration testing, API security testing, and infrastructure security assessments.

Perform risk-based security testing to identify and mitigate OWASP Top Ten vulnerabilities.

Validate the effectiveness of security controls such as RBAC (Role-Based Access Control), MFA (Multi-Factor Authentication), and API security mechanisms.

Ensure compliance with GDPR, ISO 27001, and NCSC Cyber Essentials security standards.

3. Vulnerability Management & Defect Tracking

Identify, document, and track security defects, working closely with development teams to resolve vulnerabilities.

Provide detailed security test reports, including risk assessments and mitigation strategies.

Collaborate with stakeholders to prioritize and remediate security findings.

4. Collaboration & Security Awareness

Work closely with security architects, developers, and product teams to embed security in software development.

Provide security awareness training and advocate secure coding practices across teams.

Engage with GOV.UK security and compliance frameworks, ensuring security best practices are followed.

5. Test Reporting & Documentation

Produce detailed security test reports, highlighting risks, vulnerabilities, and recommendations.

Communicate security findings effectively to both technical and non-technical stakeholders.

Maintain comprehensive documentation of security test cases, methodologies, and tools used.

Required Skills & Experience

Proven experience in security testing for web applications, APIs, and cloud environments.

Strong knowledge of OWASP Top Ten, CVE vulnerabilities, and threat modeling techniques.

Hands-on experience with security testing tools such as OWASP ZAP, Burp Suite, Nessus, Metasploit, Nikto, or equivalent.

Experience in API security testing using Postman, SoapUI, or REST-Assured.

Strong understanding of CI/CD security, DevSecOps, and cloud security best practices (Azure, AWS, GCP).

Ability to simulate attack scenarios and conduct penetration testing on applications and infrastructure.

Knowledge of database security testing, including writing security-focused SQL queries.

Familiarity with identity and access management (IAM), RBAC, MFA, JWT authentication, and OAuth 2.0 security mechanisms.

Strong risk assessment, problem-solving, and communication skills.

Awareness of UK government security frameworks, including Cyber Essentials and NCSC guidelines.

Nice to Have Skills

Experience working in UK public sector engagements (MoJ, HMCTS, DWP, Home Office, NHS, etc.).

Knowledge of User-Centric Design and GDS design system.

Familiarity with security analytics and data visualization tools like PowerBI.

Certified Agile Tester (CAT) or ISTQB Agile Tester Extension (CTFL-AT).

Experience with forensics and incident response in government systems.

Strong understanding of cloud security posture management (CSPM) and SIEM tools (Splunk, ELK, Microsoft Sentinel).

Experience with security validation techniques for microservices and containerized applications (Kubernetes, Docker security hardening).

Certifications & Security Clearance

ISTQB Foundation Level Certification (or equivalent) - Demonstrating fundamental software testing principles.

Security Clearance (BPSS and/or SC) or willingness to undergo the clearance process - Required for working on sensitive government projects.

Certified Information Systems Security Professional (CISSP) or equivalent security certification (CEH, OSCP, etc.).

Why Join Scrumconnect Consulting?

Competitive salary & career growth opportunities.

BUPA Health Cover & AIG Life Cover.

Flexible working environment with remote work options.

Generous annual leave package (28 days + tenure-based increments).

How to Apply

If you're passionate about security testing and ensuring the resilience of GOV.UK digital services, we'd love to hear from you!