scrumconnect ltd

About the Role Scrumconnect Consulting is looking for a Security Testing Engineer to ensure the security, resilience, and compliance. This role involves identifying vulnerabilities, mitigating security risks, and ensuring adherence to government security policies and DDAT frameworks . You will work closely with developers, security architects, and business stakeholders to embed security testing into Agile development workflows and DevSecOps pipelines. As a Security Testing Engineer , you will conduct static and dynamic security assessments, penetration testing, and vulnerability analysis , ensuring that applications meet the highest security standards. Key Responsibilities 1. Security Test Planning & Execution ? Develop, implement, and execute comprehensive security test plans for GOV.UK digital services. ? Identify security vulnerabilities through static and dynamic application security testing (SAST & DAST) . ? Ensure security testing is seamlessly integrated into CI/CD pipelines and DevSecOps processes. ? Define security requirements and best practices, aligning with government security policies . 2. Functional & Non-Functional Security Testing ? Conduct penetration testing, API security testing, and infrastructure security assessments . ? Perform risk-based security testing to identify and mitigate OWASP Top Ten vulnerabilities . ? Validate the effectiveness of security controls such as RBAC (Role-Based Access Control), MFA (Multi-Factor Authentication), and API security mechanisms . ? Ensure compliance with GDPR, ISO 27001, and NCSC Cyber Essentials security standards. 3. Vulnerability Management & Defect Tracking ? Identify, document, and track security defects, working closely with development teams to resolve vulnerabilities . ? Provide detailed security test reports , including risk assessments and mitigation strategies. ? Collaborate with stakeholders to prioritize and remediate security findings . 4. Collaboration & Security Awareness ? Work closely with security architects, developers, and product teams to embed security in software development. ? Provide security awareness training and advocate secure coding practices across teams. ? Engage with GOV.UK security and compliance frameworks , ensuring security best practices are followed. 5. Test Reporting & Documentation ? Produce detailed security test reports , highlighting risks, vulnerabilities, and recommendations. ? Communicate security findings effectively to both technical and non-technical stakeholders . ? Maintain comprehensive documentation of security test cases, methodologies, and tools used . Required Skills & Experience ? Proven experience in security testing for web applications, APIs, and cloud environments. ? Strong knowledge of OWASP Top Ten, CVE vulnerabilities, and threat modelling techniques . ? Hands-on experience with security testing tools such as OWASP ZAP, Burp Suite, Nessus, Metasploit, Nikto, or equivalent . ? Experience in API security testing using Postman, SoapUI, or REST-Assured . ? Strong understanding of CI/CD security, DevSecOps, and cloud security best practices (Azure, AWS, GCP) . ? Ability to simulate attack scenarios and conduct penetration testing on applications and infrastructure. ? Knowledge of database security testing , including writing security-focused SQL queries. ? Familiarity with identity and access management (IAM), RBAC, MFA, JWT authentication, and OAuth 2.0 security mechanisms . ? Strong risk assessment, problem-solving, and communication skills . ? Awareness of UK government security frameworks , including Cyber Essentials and NCSC guidelines . Nice to Have Skills ? Experience working in UK public sector engagements . ? Knowledge of User-Centric Design and GDS design system . ? Familiarity with security analytics and data visualization tools like PowerBI . ? Certified Agile Tester (CAT) or ISTQB Agile Tester Extension (CTFL-AT) . ? Strong understanding of cloud security posture management (CSPM) and SIEM tools (Splunk, ELK, Microsoft Sentinel) . ? Experience with security validation techniques for microservices and containerized applications (Kubernetes, Docker security hardening) .