Application Security Specialist

ZS is a place where passion changes lives. As a management consulting and technology firm focused on improving life and how we live it, we transform ideas into impact by bringing together data, science, technology and human ingenuity to deliver better outcomes for all. Here you'll work side-by-side with a powerful collective of thinkers and experts shaping life-changing solutions for patients, caregivers and consumers, worldwide. ZSers drive impact by bringing a client-first mentality to each and every engagement. We partner collaboratively with our clients to develop custom solutions and technology products that create value and deliver company results across critical areas of their business. Bring your curiosity for learning, bold ideas, courage and passion to drive life-changing impact to ZS.
What you'll do: Application Security Specialist in the Enterprise will be responsible for leading and managing Application Penetration Testing & mature ZS's Application Security Program. This role requires strategic, attacker-mindset thinking, deep application security expertise, and strong communication skills to manage and perform application penetration testing, supervise and mentor testing teams

• Typical daily work will consist of leading and performing advanced manual and automated application penetration tests on web, mobile, APIs, and microservices across production and pre-production environments.
• Perform in-depth secure code reviews and design-level security assessments in collaboration with development and DevSecOps teams.
• Assess authentication, authorization, session management, and identity flows across web, mobile, and API-driven architectures, including OAuth2, OIDC, SSO, and token-based designs.
• Identify, document, and articulate risks related to application vulnerabilities (e.g., OWASP Top 10, SANS 25), misconfigurations, and insecure design patterns .
• Perform business logic and abuse-case testing, identifying flaws that cannot be detected through automated tooling.
• Lead and mentor a team of AppSec testers, providing technical guidance, reviewing assessment outputs, and driving continuous skill development within the team.
• Utilize tools like Burp Suite Pro, Snyk, Checkmarx, Black Duck, OwaspZap and custom scripts to identify vulnerabilities at code and runtime levels.
• Ensure the highest quality of security testing by establishing and enforcing rigorous testing standards, peer reviews, and validation processes, ensuring all findings are accurate, reproducible, and aligned with industry best practices.
• Collaborate in DevSecOps initiatives by embedding security into the CI/CD pipelines
• Partner with product owners, developers, architects, and QA engineers to build secure-by-design applications.
• Provide mentorship and security guidance to internal stakeholders to raise overall security maturity.
• Support incident response and forensics activities as related to AppSec breaches.

What you'll bring:

• Proven experience and deep expertise in application penetration testing, including business logic abuse, authentication/authorization flaws, and client-side vulnerabilities.
• Strong familiarity with OWASP ASVS, MASVS, and Top 10 lists.
• Proficiency with tools such as Burp Suite Pro, Postman, Fiddler and source code analysis platforms such as Checkmarx, Snyk, BlackDuck.
• Working knowledge of programming/scripting languages like Python, Java, JavaScript, C#, .Net or Go.
• Familiarity with cloud-native applications and platform-specific vulnerabilities (AWS, Azure, GCP).
• Thorough understanding of modern architectures: microservices, APIs, containers, Kubernetes, and serverless.
• Deep expertise in manual and automated application penetration testing, including identifying and exploiting vulnerabilities such as SQLi, XSS, SSRF, IDOR, CSRF, and authentication/authorization flaws.
• Ability to perform end-to-end testing of modern web applications, including RESTful and GraphQL APIs, single-page applications (SPAs), and microservices, with a focus on real-world attack scenarios and business logic exploitation.
• Experience with mobile application security testing (iOS/Android) and tools like MobSF, Frida, or Drozer.
• Familiarity with common reconnaissance, exploitation, and post exploitation techniques.
• Ability to clearly document findings and communicate risk effectively to technical and non-technical stakeholders.
• Strong Collaboration, Communication and Interpersonal skills with the ability to collaborate effectively with cross-functional teams, communicate complex technical concepts to non-technical stakeholders, and build consensus around security initiatives.
• Fluency in English
• Client-first mentality
• Intense work ethic
• Collaborative spirit and problem-solving approach

How you'll grow:

• Cross-functional skills development & custom learning pathways
• Milestone training programs aligned to career progression opportunities
• Internal mobility paths that empower growth via s-curves, individual contribution and role expansions

Hybrid working model:
ZS is committed to a Flexible and Connected way of working. ZSers are onsite at clients or ZS offices three days a week. Combined flexibility to work remotely two days a week is also available. The magic of ZS culture and innovation thrives in both planned and spontaneous face-to-face connections.
Perks & Benefits:
ZS offers a comprehensive total rewards package including health and well-being, financial planning, annual leave, personal growth and professional development. Our robust skills development programs, multiple career progression options and internal mobility paths and collaborative culture empowers you to thrive as an individual and global team member.
Travel:
Travel is a requirement at ZS for client facing ZSers; business needs of your project and client are the priority. While some projects may be local, all client-facing ZSers should be prepared to travel as needed. Travel provides opportunities to strengthen client relationships, gain diverse experiences, and enhance professional growth by working in different environments and cultures.
Considering applying?
At ZS, we honor the visible and invisible elements of our identities, personal experiences, and belief systems-the ones that comprise us as individuals, shape who we are, and make us unique. We believe your personal interests, identities, and desire to learn are integral to your success here. We are committed to building a team that reflects a broad variety of backgrounds, perspectives, and experiences. Learn more about our inclusion and belonging efforts and the networks ZS supports to assist our ZSers in cultivating community spaces and obtaining the resources they need to thrive.
If you're eager to grow, contribute, and bring your unique self to our work, we encourage you to apply.
ZS is an equal opportunity employer and is committed to providing equal employment and advancement opportunities without regard to any class protected by applicable law.
To complete your application:
Candidates must possess or be able to obtain work authorization for their intended country of employment. An on-line application, including a full set of transcripts (official or unofficial), is required to be considered.
NO AGENCY CALLS, PLEASE.
Find Out More At:
www.zs.com