Web App Pen Tester
This position is with an organization that is known as a cooperative, which oversees and services its member companies, who in turn are connecting with over 100 million consumers across the entire US and other parts of the globe. Like many organizations today, their security landscape is maturing, and they are seeking several key members of the team to help them reach their goals.
Penetration Testing and Assessment
$130,000 - $160,000
Permanent, full time. NOT A CONTRACT OPPORTUNITY
US Citizen or Permanent Resident status required
You will be part of a team that helps to ensure infrastructure and applications are secured against the latest threats and help build our assessment program. You will be responsible for conducting manual penetration testing, creating/maintaining automated penetration testing solutions, documenting penetration testing methodologies, helping application teams improve their development processes, and maturing our assessment program.
This role will require execution of both web application and network penetration assessments. This is not a “run a vulnerability scan and check to see what’s in Metasploit” role. A candidate should have a demonstrable understanding of information security, computer science, networking, applications, databases, and operating system functionality and be able apply this understanding to advanced concepts such as application manipulation, exploit development, and stealthy operations.
In addition to penetration testing, you will be responsible for performing more general security assessments (i.e. assessing configurations, trust relationships, access models for applications and infrastructure and applying an adversarial lens), overseeing penetration assessments executed by third parties, working with internal teams to develop detective/preventative controls, and driving a vision and maturity to the assessment program.
- Penetration testing & vulnerability research
- Recommendation of threat mitigations
- Produce high-quality penetration testing reports
- Projects and research work as needed
- Security assessment program leadership
- Security training and outreach to internal development teams
- Security guidance documentation
- Security tool development
- Security metrics delivery and improvements
- Minimum of 2 years of experience with vulnerability assessment and auditing techniques. This should include or had previous experience and possess advanced knowledge and understanding of security engineering, system and network security, authentication and security protocols, cryptography, and application security. This will probably also include things like knowledge of SQL Injection, XSS, RCE, Buffer Overflows, filter invasion, and other application-layer attacks.
- Familiar with the concepts of networking and common network defenses: routing, sub-netting, firewalls, IPS, WAF, etc.
- Familiarity with common reconnaissance, exploitation, and post-exploitation frameworks
- Familiarity with assessment tools such as scanners, administrative utilities, local proxies, debuggers, fuzzers, etc.
- Able to perform targeted penetration tests and exploitations without the use of automated tools
- Strong familiarity with OWASP Top 10 and ability to assess risk based on established methodologies (i.e. OWASP Risk Rating Methodology)
BIG PLUS IF YOU HAVE
- Experience with red teams or CTF (Capture the Flag)
- Familiarity with integrating penetration tests with an SDLC process.
- Experience with driving company-wide initiatives
- Expert-level understanding in at least one core area of Information Security
- Experience with multiple programming languages, especially scripting languages (such as Python, Ruby, Perl, etc.)
- Experience with reverse engineering or dissecting exploit code and security tool development
- Experience with mobile apps and API (REST, SOAP) assessments
- Experience with white box testing (identifying vulnerabilities via code review)
- Demonstrable teamwork skills and resourcefulness
- Sharp analytical abilities and proven design skills
- Experience providing training and mentorship