USAA Application Security Advisor-Penetration Tester in San Antonio, Texas

Purpose of Job

IMPORTANT: Applicants – When filling out your name and other personal information below, DO NOT use any special characters or ALL CAPS. Use only standard letters in the English alphabet. Including special characters or all uppercase letters will cause errors in your application.

This posting is for two positions within Information Security, specifically in Applications Security, from either an Advisor leadership role or as a Penetration Tester. Spend your days ethically hacking USAA’s digital properties on web, mobile, cloud, IoT, and APIs. Individual would be responsible for coordinating and conducting application penetration tests, developing reports, and consulting with our IT and business partners to remediate discovered risks.

Develops strategies and Information Security plans. Provides thought leadership while managing multiple large scale initiatives. Collaborates with all levels of USAA management and internal partners to assess Information Security and align to support the organization goals with Enterprise goals. Leads Information Security risk by identifying, evaluating, assessing, designing, monitoring, administering, reporting and implementing systems, policies and processes. Advises various levels of senior management on Information Security risk management issues and serves as the primary resource for cross-functional team members on escalated issues of a unique nature. Works under minimal supervision on complex and unique work assignments and recommends appropriate solutions and problem resolution.

We are currently seeking talented Application Security Advisor/Penetration Tester for our San Antonio, TX or Remote facility.

Job Requirements

  • Leads technical thought leadership to guide the strategic direction to executive management focusing on Information Security risk of USAA development projects, departmental initiatives and other special projects. Identifies and leads requirements and recommends system security configurations; oversees security briefings and responding to inquiries.
  • Provides advanced advice and acts as an Information Security subject matter expert liaison between the company and staff agencies through formal and ad-hoc inquiries.
  • Provides governance and leads identifying, analyzing and initiating changes in the Information Security policies, guidelines and standards including advising company and staff agencies in support of developing and managing the Information Security awareness program.
  • Gives counsel to ensure that internally developed and commercially available business applications include adequate Information Security controls; Consults process owners on the identification, development and testing of Information Security controls for risk mitigation effectiveness.
  • Performs physical site assessments of business partners and provides peer review of work product and deliverables. Counsels and performs release of information analysis to third party business partners and identifies alternative methods for securing and releasing information when applicable.
  • Leads the planning, design, development and execution of the Information Security risk and control identification, evaluation, documentation, analysis and reporting processes including analytic tools. Provides expert analysis and recommendations on Information Security risk assessment and mitigation to internal and external clients or other analysts; influences Information Security risk management strategies and approaches and educates risk owners on best practices. Regularly advises senior management on key Information Security risk management efforts.
  • Establishes strategic partnerships to anticipate, advise, and effectively communicate (written and verbal) Federal and State regulatory and business partner Information Security risk requirements.
  • Coaches and mentors peers and cross functional team members to achieve business result, development, and delivery.
  • Other duties as assigned.

Minimum Requirements

  • Bachelor's degree in MIS, Computer Engineering, Cyber Security, IT or related disciplines or 4 years of additional work experience in IT, Information Security, Cyber Security or equivalent experience in lieu of a degree.
  • 8+ years work experience in Information Technology or related discipline.
  • 6+ years leading within a matrixed corporate environment.
  • Advanced knowledge in risk, control, budgets, process and loss costing.
  • Advanced knowledge of relevant industry data sources, standards, data analysis tools and techniques (e.g. Archer, MetricStream, BWise).
  • 8+ years facilitating risk assessment sessions with all levels of management and executive management.


  • Experience in software development and/or Secure SDLC.
  • Experience with information security and cloud deployment models (SaaS/PaaS/IaaS).
  • Professional designation in CISSP, CISA, CRISC, CISM, CEH, GWAPT, GWEB, or CRCMP.
  • An advanced degree in MIS, Computer Engineering or Cyber Security.
  • 5+ years of proven proficiency in performing extensive application vulnerability assessments and penetration testing
  • 5+ years of experience with testing tools, including Burp Suite, WebScarab, ZAP, metasploit, and SAST/DAST/RASP/IAST technologies
  • Experience defining security requirements for software development projects, performing risk assessments of cloud vendors and implementations, facilitating threat modeling and defining mitigating controls
  • Well versed with common web application, mobile application, and cloud security flaws and exploitation techniques
  • Possess a certification in penetration testing, such as: GIAC Web Application Penetration Tester (GWAPT), Licensed Penetration Tester (LPT), Certified Expert Penetration Tester (CEPT), Certified Ethical Hacker (CEH), Global Information Assurance Certification Penetration Tester (GPEN)
  • Experience scripting in Perl, Python, Ruby, Bash, or Java AND familiarity with Open Source Security Testing Methodology Manual (OSSTMM), Open Web Application Security Project (OWASP), and National Institute of Standards and Technology (NIST) Special Publications

The above description reflects the details considered necessary to describe the principal functions of the job and should not be construed as a detailed description of all the work requirements that may be performed in the job.

At USAA our employees enjoy one of the best benefits packages in the business, including a flexible business casual or casual dress environment, comprehensive medical, dental and vision plans, along with wellness and wealth building programs. Additionally, our career path planning and continuing education will assist you with your professional goals.

Relocation assistance is available for this position.

Application Security Advisor-Penetration Tester TX-San Antonio R0011585