At Freddie Mac, you will do important work to build a better housing finance system and you’ll be part of a team helping to make homeownership and rental housing more accessible and affordable across the nation. Position Overview: The Freddie Mac Red Team is responsible to test the overall strength of our organization’s defenses (the technology, the processes, and the people) by simulating the objectives and actions of an attacker. We are seeking an Information Security Tech Lead to assist the team by providing subject matter expertise in Penetration testing of Infrastructure and Networks, Web Applications, Cloud and Social engineering, and Purple Team. In this role, the candidate will provide enhanced vulnerability analysis and contextual feedback to stakeholders to support the resolution of discovered vulnerabilities and facilitate risk awareness. Responsibilities include: Penetration Testing and Red Team assessments Perform web application penetration tests, including manual and automated testing techniques Identify and exploit vulnerabilities in web applications, APIs, and related technologies Develop and maintain scripts, tools, and methodologies to enhance web application security testing processes and capabilities Provide detailed vulnerability analysis and contextual feedback to development and operations teams Collaborate with stakeholders to scope prospective engagements, lead engagements, and mentor less experienced staff Collaborate with the Red Team to integrate web application penetration testing findings into broader threat emulation scenarios and organizational security assessments Contribute to the development and improvement of security policies, standards, and guidelines Develop Team Capabilities and Leadership Generate innovative ideas and challenge the status quo Develop scripts, tools, or methodologies to enhance the Red teaming processes and capabilities Participate in and actively support mentoring with other members of the team Assist with scoping prospective engagements, leading engagements from kickoff through remediation, and mentoring less experienced staff Our Impact: The Red team is responsible for testing the overall strength of our organization’s defenses (the technology, the processes, and the people) by simulating the objectives and actions of an attacker! Your Impact: This role provides domain expertise in Penetration testing of Infrastructure and Networks, Web Applications, Cloud and Social engineering, as well as Red Team and Purple Team internal engagements. Additionally, you will provide improved vulnerability analysis and contextual feedback to partners to support the resolution of discovered vulnerabilities and facilitate risk awareness. Qualifications 8-10 years of relevant experience in web application security and penetration testing One or more technical certifications: OSWA, OSWE, OSCP, GWAPT, GMOB, OSEE, OSEP, or similar Proficient with common web application penetration testing tools (e.g., Burp Suite, OWASP ZAP) Solid understanding of web technologies (e.g., HTML, JavaScript, REST, SOAP) and common web application vulnerabilities (e.g., SQL injection, XSS, CSRF) Knowledge of secure coding practices and application security frameworks (e.g., OWASP) Ability to critically examine web applications and systems through the perspective of a threat actor Key to success in this role Experience with secure development practices and code review Proficiency in at least one scripting or programming language (e.g., Python, JavaScript, Ruby) In-depth knowledge of cloud security for web applications (e.g., AWS, Azure, GCP) Experience with mobile application security testing and relevant tools (e.g., MobSF, Frida, Burp Suite Mobile Assistant) Current Freddie Mac employees please apply through the internal career site. Today, Freddie Mac makes home possible for one in four home borrowers and is one of the largest sources of financing for multifamily housing. Join our smart, creative and dedicated team and you’ll do important work for the housing finance system and make a difference in the lives of others. We are an equal opportunity employer and value diversity and inclusion at our company. We do not discriminate on the basis of race, religion, color, national origin, gender, sexual orientation, age, marital status, veteran status, disability status or any other characteristic protected by applicable law. We will ensure that individuals with differing abilities are provided reasonable accommodation to participate in the job application or interview process, to perform essential job functions, and to receive other benefits and privileges of employment. Please contact us to request accommodation. Notice to External Search Firms: Freddie Mac partners with BountyJobs for contingency search business through outside firms. Resumes received outside the BountyJobs system will be considered unsolicited and Freddie Mac will not be obligated to pay a placement fee. If interested in learning more, please visit and register with our referral code: MAC. Time-type:Full timeFLSA Status:Exempt Freddie Mac offers a comprehensive total rewards package to include competitive compensation and market-leading benefit programs. Information on these benefit programs is available on our Careers site. This position has an annualized market-based salary range of $144,000 – $216,000 and is eligible to participate in the annual incentive program. The final salary offered will generally fall within this range and is dependent on various factors including but not limited to the responsibilities of the position, experience, skill set, internal pay equity and other relevant qualifications of the applicant. #J-18808-Ljbffr
sql-injection HTML Code review API dedicated xss Amazon Web Services (AWS) Azure frida web-applications cloud-security programming-languages remote work Google Cloud Platform (GCP) cloud-computing Mentoring scripting Burp Suite penetration-testing application-security infrastructure systems REST Python standards Creativity SOAP JavaScript hybrid OWASP csrf OffSec Certified Professional (OSCP) Technical Lead networking technologies Ruby Leadership manual-testing