Security Research Engineer (SAST)

Threat Research Center Houston, Texas


Security Research Engineer (SAST)

A Security Research Engineer within the WhiteHat Security Detection Research organization is an application security professional who is responsible for contributing to development, testing, and release of new scanner tests. The Security Research Engineer functions as a subject matter expert in multiple aspects of their assigned application security testing technology, this role is anticipated to primarily focus on SAST.

Responsibilities related to test development, testing, and release include: 

  • Conducting primary researchin the form of automated or manual inspection of sandbox and client applications’ code to discover emerging patterns of technology usage, vulnerabilities, and security controls
  • Leveraging existing test expression capabilitiesboth domain specific and custom code to improve detection capabilities by adding new tests and enhancing existing tests
  • Monitoring existing test executions and outcomesto collect qualitative and quantitative data on test efficacy in order to identify bugs, defects, and needed enhancements. 
  • Validating, benchmarking, and stress testingexisting tests, test changes, and test additions
  • Developing proof-of-concept enhancementsto test capabilities, documenting requirements, and creating capability specifications 


A bachelor’s degree in computer science or an information security related field, additional experience in software development and security testing will be considered in the absence of a bachelor’s degree.

Expertise in both software development and application security testing in the form of at least two years of combined application security testing and software development experience. 

Candidates with software development experience in Java and with the following experience who are interested in building a career as a security research engineer will be positioned for success

  • Configuring, running, and validating the results of SAST scanning technologies.
  • Manual assessment of web, networked desktop, or mobile applications for security vulnerabilities using an end-to-end assessment methodology 
  • Manual code review using an industry recognize standard for vulnerabilities, security control presence, security control quality, and security by design

Ability to demonstrate experience and expertise with the following:

  • Java
  • JavaScript
  • At least one of the following or equivalent: Golang, C#, Python, Ruby, Perl, C++

Additional relevant experience and skills:  

  • Docker
  • CI/CD: Jenkins, Azure Pipelines 
  • Cloud platforms: AZURE, AWS, GCP, Digital Ocean etc.
  • Participation in bug bounty programs, responsible disclosure, credited CVEs, and CTFs
  • Security certifications CEH, OSCP, OSWE, CASS, etc.
  • Configuring, writing custom rules, running, and consuming results for AST scanning tools, open source and commercial

WhiteHat Security is an E-Verify employer and is proud to provide equal employment opportunities (EEO) to all employees and applicants for employment without regard to race, color, religion, sex, national origin, age, disability or genetics.