United Airlines Senior Analyst – Ethical Hacker in Chicago, Illinois

We have a wide variety of career opportunities around the world — come find yours.

Information Technology

The United IT team designs, develops and maintains massively scaling technology solutions that are brought to life with innovative architectures, data analytics and digital solutions.

Job overview and responsibilities

The Senior Analyst – Ethical Hacker will conduct application security assessments/penetration tests of our internal/external web, mobile, & web service applications leveraging both manual techniques as well as automated tools to uncover and report security vulnerabilities that exist. This person will use knowledge of business risks associated to common security vulnerabilities and will communicate to application developers and/or managers about how application security vulnerabilities are relevant to their work. This person may also assist with advanced vulnerability research across application security and support researching bugs for the Bug Bounty program. Ability to work independently in a large-scale, enterprise setting is required.

  • Conduct advanced manual web application penetration tests and assessments on United Airlines mobile and web applications

  • Perform advanced application vulnerability research to help United identify risk and fix vulnerabilities

  • Serve as a subject matter expert in application security manual testing

  • Develop and implement security standards, procedures, and guidelines for multiple platforms and diverse environment (e.g. client server, distributed, mainframe, etc.)

  • Use in-depth technical knowledge and business requirements to propose secure solutions to vulnerabilities found while assessing any company assets

  • Exercises judgment within broadly defined practices and policies in selecting methods, techniques, and evaluation criterion for obtaining results


  • Bachelor degree in Computer Science or a related field, or an equivalent combination of education, training, and/or experience related to this position

  • Dynamic and static application scanning

  • Exploitation of OWASP top 10 vulnerabilities

  • In-depth mobile and web application penetration testing

  • Understanding of Agile and Waterfall development processes

  • Ability to demonstrate manual web application testing experience; i.e. candidate must be able to execute a SQL injection/cross-site scripting attack without the use of automated tools

  • Expert level experience with web application vulnerability scanning tools (e.g. IBM AppScan, HP WebInspect, Acunetix, NTO Spider, Burp Suite Pro, Veracode, Qualys, etc.)

  • Knowledge of network and Web related protocols/technologies (e.g., UNIX/LINUX, TCP/IP, HTTP/HTTPS, REST, Cookies)

  • Experience with vulnerability assessment tools and penetration testing techniques. (e.g., web application proxies, packet capture analysis software, browser extensions, penetration testing distributions such as Kali

  • Linux, static source code analyzers, SoapUI, etc.)

  • Experience penetration testing on mobile platforms

  • At least 3 years of experience in IT security, with at least 5 years of IT experience

  • At least 3 years of experience conducting vulnerability assessments, code reviews and penetration tests against web/mobile application technologies, services, platforms and languages to find flaws and exploits

  • Experience with network exploitation, attack strategies and methods, current IT security technology, software and cyber threat mitigation tools

  • Experience using Information Security attack vectors like SQL injection, cross-site scripting, pass-the-hash, cross-site request forgery, clickjacking, authentication/authorization, privilege escalation, business logic bypass, OWASP Top 10, SANS Top 25 Software Errors, etc.

  • Strong written and verbal communication skills

  • Ability to concisely and accurately convey complex cyber security concepts to both technical and non-technical audiences

  • Strong teamwork skills

  • Ability to multi-task and handle multiple projects

  • Ability to work in a fast paced, challenging environment

  • Experience with IT security incident response procedures, risk assessment methodologies, and risk management processes and implementation

  • Must be legally authorized to work in the United States for any employer without sponsorship

  • Successful completion of interview required to meet job qualification

  • Reliable, punctual attendance is an essential function of the position


  • Solid programming/debugging skills with proficiency in one or more of the following; Java, JavaScript, HTML, XML, PHP, ASP.NET, AJAX, JSON, Objective-C

  • Strong scripting skills (e.g., Python, Perl, shell script, JavaScript)

Expert-level experience and detailed technical knowledge in at least three of the following areas:

  • General information security

  • Security engineering

  • Application architecture

  • Authentication and security protocols

  • Application session management

  • Applied cryptography

  • Common communication protocols

  • Mobile frameworks

  • Single sign-on technologies

  • Web services

  • Demonstrated ability to learn and apply critical thinking to a variety of situation

  • Critical infrastructure and/or airline experience

  • Development experience, especially in mobile programming

  • Experience in Structured Query Language, Xcode, Objective-C, Java, .NET

Equal Opportunity Employer – Minorities/Women/Veterans/Disabled/LGBT

Division: 47 Technology/IT

Function: Information Technology

Equal Opportunity Employer – Minorities/Women/Veterans/Disabled