Job Title: Senior API Tester – Application Security
Location: Remote (Toronto preferred for occasional in-office collaboration)
Contract Length: 3 months with possible extension
Job Description:

Overview:
This is a dynamic API security testing role on the Application Security team. The Senior API Tester will be responsible for testing and validating APIs from a security standpoint. The ideal candidate will have strong Postman and DAST tool experience, with the ability to independently assess APIs, engage with developers, and deliver actionable results quickly. Work is initiated via intake requests triggered by a tool. Developers submit requests; testers must validate API functionality and security, provide results, and close out tasks. A team member documented the process well; now needing to ramp up support to clear backlog. There is good documentation and internal knowledge. Work is primarily remote but having someone local to Toronto is preferred for ad-hoc office visits or collaboration.Responsibilities:

• Perform end-to-end API security testing using Postman and DAST tools
• Review and validate API intake forms, working directly with developers to clarify test scope and auth flows
• Classify APIs based on design and business exposure (internal vs external)
• Validate Swagger/OpenAPI specifications and provide feedback on quality and completeness
• Test APIs deployed in hybrid environments, including on-prem solutions and cloud platforms
• Triage findings to development teams, providing remediation guidance where needed
• Generate standardized reports via tooling interfaces or APIs
• Collaborate with AppSec and development teams to improve testing standards and automation coverage

Required Qualifications:

• 5+ years of experience in API testing or AppSec roles
• Experience testing APIs deployed in on-prem environments (e.g., TIBCO) and cloud environments (e.g., AWS API Gateway, Lambda, or containerized services)
• Proficiency with Postman, including testing across various authentication methods (OAuth2, JWT, API keys)
• Proficient in configuring and executing complex API test scenarios, including multi-step workflows, custom payload and header manipulation, pagination handling, rate limit validation, and filter/query parameter testing
• Solid understanding of API types (REST, GraphQL), authentication flows and error handling conventions
• Solid understanding of OWASP API Top 10 vulnerabilities and mitigation strategies
• Ability to read API designs and classify APIs by exposure and business use (for on-prem and cloud-based deployments)
• Ability to evaluate Swagger/OpenAPI documentation for completeness and testability
• Work independently and drive clarity with stakeholders.

 Core Skills:

• 3–5+ years of hands-on API security testing
• Strong experience with Postman (used for validating API responses before automating in security tools)
• Experience with dynamic API testing tools (e.g., APISEC) — not to be listed on job postings, but a major plus if on resumes
• Familiarity with OAuth tokens, authentication mechanisms, and working through various environments
• Ability to troubleshoot independently; must not rely on guidance for basics

 Nice to Have:

• Familiarity with CI/CD pipeline integration (e.g., GitHub Actions, Jenkins) and automated API testing pipelines
• Scripting skills (Python, JavaScript) to enhance or automate testing/reporting
• Experience contributing to SOPs, reusable templates, or security testing playbooks
• Some experience recommending remediation strategies for critical vulnerabilities (tool offers suggestions, but team can support if needed)

Security Focus:

• No specific OWASP flaw targeting — testers follow existing SOPs and policies in tooling
• Opportunity to provide feedback if something seems inefficient or overly noisy

 

 


At SPECTRAFORCE, we are committed to maintaining a workplace that ensures fair compensation and wage transparency in adherence with all applicable state and local laws. This position’s starting pay is: $60.00/hr.