Job Data Security/ Compliance

Principal Penetration Tester Information Security

The Penetration Tester is an integral part of the Global Cyber Security team and will be responsible for executing penetration tests to support the Secure Development Lifecycle.  This role ensures that products that are developed are built securely and security vulnerabilities detected in the product are addressed prior to release.  Additional responsibilities may be asked as deemed necessary. 


Job Responsibilities

  • Prioritize, lead and execute internal white box and gray box penetration tests for windows applications, web applications and APIs to support the Secure Development Lifecycle.
  • Participate in penetration test scoping discussions with various product teams and identify the necessary tools to execute the penetration test.
  • Assess documentation, including but not limited to architecture diagrams, network diagrams, etc. to determine threats and risks that need to be mitigated prior to product release.
  • Participate in threat modeling, risk analysis and creation of mitigation plans to address identified threats and risks.
  • Write formal reports that thoroughly document the security risk, steps to reproduce, and mitigation recommendations to address the threats and risks.
  • Partner with cross-functional teams to address the risks identified through testing in alignment with defined Service Level Agreements (SLAs).
  • Keep up to date with information security trends and emerging threats and vulnerabilities that need to be considered as part of the role.
  • Handle communications between geographically dispersed groups.

Qualifications

  • 5+ years demonstrated experience in the field of Information Technology, Software Engineering, Information Security or related field.
  • Experience in threat modeling, security reviews, risk analysis, vulnerability management, and Secure SDLC.
  • Experience in windows application engineering, web applications, and/or API security.
  • Demonstrated experience in assessing security of windows applications, web applications, APIs, and backend/infrastructure supporting the applications.
  • Excellent communication skills to interact and work with vendors, application teams and other stakeholders such as product and program managers.
  • Technical proficiency and hands on experience with various secure code scanning tools such as Burp Suite, web application scans, dynamic code analysis and static code analysis tools.
  • Independent end to end hands-on manual experience in Windows, Web, Webservice / API (REST & SOAP) Penetration Testing and secure code review.
  • Knowledge of network/application protocols, topologies, reverse engineering, fuzzing & exploit development. 
  • Proven understanding of application protocols, development, common attack vectors, OWASP top 10 vulnerabilities.
  • Familiarity with application security guidelines such as OWASP Top Ten, OSTMM (Open Source Security Testing Methodology Manual) & WASC (Web Application Security Consortium). 
  • Familiarity with reverse engineering tools, debuggers, and dynamic analysis techniques.
  • Knowledge of languages such as C, C++, Java, Python (C, C++ preferred)
  • Deep knowledge of Windows operating system architecture (including but not limited to Kernel, I/O operations, File System, Device Drivers, memory management, IPC, windows registry) would be preferred.
  • Experience with common Windows application penetration testing techniques such as DLL hijacking, analyzing files/traffic using tools such as Proc mon, TCP View, Wireshark, netstat
  • Ability to intercept and tamper communication between client and the server
  • Proven understanding of secure architecture, secure configuration, reverse engineering, Encryption, unlocking / rooting mobile devices
  • Up to date knowledge of current and emerging security threats and techniques for exploiting security vulnerabilities in applications
  • Effective project management skills, oral and written communication skills, and interpersonal skills.

Preferred Qualifications

  • Experience in quality assurance and automation is a plus.
  • Formal training and/or certification in the domain of software-based testing, quality assurance is preferred.
  • Security certification/s from GIAC, EC | Council such as GMOB, CEH are strongly considered.