Senior API Tester (Application Security)

Job Title: Senior API Tester (Application security)

Duration: Until Oct 31/2026 (6 months)- Extension possible

Location: Fully-Remote

Start Date: Mid May

Interview Availability: Available to start interviewing as soon as we identify candidates

HM note: Anyone with 5 years' experience in the AppSec dynamic testing (DAST) space will easily meet all required expectations noted below

About the role

We are seeking a Senior API Tester to join our Application Security team, responsible for testing and validating APIs from a security standpoint. The ideal candidate will have strong experience with Postman and automated tools, along with the ability to independently assess APIs, engage with developers, and deliver actionable results quickly.

Responsibilities

• Provide technical leadership to business areas as an API security testing subject matter expert, performing end-to-end security testing using Postman and API testing tools, including reproducing issues, troubleshooting findings, and validating remediation.
• Perform technical security assessments of APIs and application services deployed in hybrid environments, including on-prem solutions and cloud platforms.

Interested in remote work opportunities in Cyber Security? Discover Cyber Security Remote Jobs featuring exclusive positions from top companies that offer flexible work arrangements.

• Execute deep authentication and authorization testing across modern patterns (e.g. OAuth2, JWT, API keys), including negative testing and edge-case validation.
• Triage API-related findings and advise development teams on applying appropriate controls based on system design and traffic flow.
• Generate standardized reports via tooling interfaces or APIs.
• Review code across major languages to help pinpoint root cause and guide developers to implement optimal solutions.
• Build scripts and automations to streamline testing workflows, evidence capture, regression verification, and integration into CI/CD processes.
• Evaluate AI-assisted capabilities in security scanning/testing tools to improve triage speed, signal quality, and remediation guidance.

Required Qualifications

• 5+ years of relevant experience in API security testing and a post-secondary degree in Computer Science or Information Systems
• Hands-on experience testing APIs deployed in on-prem environments (e.g., TIBCO) and cloud environments (e.g., AWS API Gateway, Lambda, or containerized services)
• Proficiency with API security testing tools and Postman, including testing across various authentication methods (OAuth2, JWT, API keys)

Browse our curated collection of remote jobs across all categories and industries, featuring positions from top companies worldwide.

• Proficiency with configuring and executing complex API test scenarios, including multi-step workflows, custom payload and header manipulation, pagination handling, rate limit validation, and filter/query parameter testing
• Solid understanding of how network connectivity and infrastructure components influence API behavior and security controls
• Solid understanding of OWASP API Top 10 vulnerabilities and mitigation strategies
• Demonstrated ability to apply systems design thinking to review API design for exposure and to review security control placement decisions within an API’s end-to-end architecture
• Demonstrated ability to evaluate Swagger/OpenAPI documentation for completeness and testability
• Scripting/automation experience (e.g., Python, Node.js, Bash) to integrate testing and repeatable checks into engineering workflows

Nice to Have

• Postman API Tester or penetration testing certifications are an asset
• Familiarity with CI/CD pipeline integration (e.g., GitHub Actions, Azure DevOps) and automated API testing pipelines
• Experience contributing to SOPs, reusable templates, or security testing playbooks