استخدام Penetration Testing Engineer
شرح موقعیت شغلی
Job description
- Conduct formal both automated and manual penetration tests using approved standard methodologies to identify and exploit vulnerabilities in networks, systems and applications owned by Legal Technology
- Assess security controls for large enterprise systems and applications, and hosting infrastructure
- Evaluate configurations and implementations of firewalls, proxy servers, routers, Virtual Private Networks (VPNs), IDS / IPS, wireless networks, etc. against legal requirements, organization’s local policy, industry best practices
- Conduct security system engineering based on industry best practices and common frameworks
- Document technical and logical security findings identified during the security assessments, and report them in a timely manner
- Provide consultative support with implementation of remediation steps, standards, and best practices
- Advise on methods to fix or lower security risks to systems
- Operate a hands-on role involving penetration testing and vulnerability assessment activities of complex applications, operating systems, wired and wireless networks, and mobile applications/devices
- Develop and maintain security testing plans
- Develop meaningful metrics to reflect the true posture of the environment allowing the organization to make educated decisions based on risk
- Produce actionable, threat-based, reports on security testing results
- Act as a source of direction, training, and guidance for less experienced staff
- Mentor and coach other IT security staff to provide guidance and expertise in their growth
- Consult with application developers, systems administrators, and management to demonstrate security testing results, explain the threat presented by the results, and consult on remediation
- Communicate security issues to a wide variety of internal and external “customers” to include technical teams, executives, risk groups, vendors and regulators
- Deliver the periodical penetration testing schedule and conducting awareness campaigns to ensure proper budgeting by business lines for annual tests
- Foster and maintain relationships with key stakeholders and business partners
Requirements
- Experience with API testing and Mobile Application testing
- Hands-on experience with two or more scripting languages such as Python, Powershell, Bash, or Ruby.
- Familiarity with penetration testing tools and tool suites such as Burp Suite, OWASP ZAP, Kali Linux, etc.
- Proficiency or experience in any one of the following tools would be an added advantage including Zed Attack Proxy, Micro Focus, Kiuwan, QARK, Android Debug Bridge, CodifiedSecurity, Drozer, WhiteHat Security.
- Ability to demonstrate clear understanding of following vulnerabilities including SQL Injections, Cross Site Scripting (XSS), Broken Authentication & Session Management, Insecure Direct Object References, Security Misconfiguration, Cross-Site Request Forgery (CSRF), Participate in code audit/review.
- An aptitude for technical writing, including assessment reports and presentations.
- Strong understanding of penetration testing frameworks.
- Advanced knowledge of mobile application testing techniques, software, protocols and the ability to bypass common mobile application security controls.
- Understanding of offensive security, including offensive evasion techniques.
- General knowledge of web applications, databases, mobile, and cloud applications.
- Strong knowledge of Open Web Application Security Project (OWASP) (WEB and Mobile).
- Ability to think outside the box and emulate adversarial approaches.
Preferred Qualifications:
- minimum 3 years of operational experience in Information Technology & Information Security
- Good written and verbal communication skills in English
- University Degree in Computer Science, Computer Engineering or other relevant field.
- Certifications such as CEH, Security+, ISO 27K, SANS would be considered as an asset.
- Good interpersonal communication and presentation skills.
- Ability to be a team player.
- Ability to work effectively in multiple cultures and at a range of levels.
- Ability to constantly build up skill set using a mix of self-motivated and course based learning environment.
- Ability to work independently, proactively to see the big picture and work through solutions as needed.
- Good knowledge of Windows, Linux, data bases (MySQL, no-SQL), anti-malware, IDS and other security technologies.
- Basic understanding of virtualization and software-defined data center concepts.
- Knowledge of OSI reference model and networking fundamentals (switching, routing, load-balancing, firewalling).
- Understanding of commonly used Internet protocols such as SMTP, HTTP, and DNS.
- Basic understanding of cryptographic functionality within such protocols would be of advantage.
- Familiar with Security Regulations and Standards.
مهارتهای مورد نیاز
- Python
- Bash
- Ruby
- NoSQL
- MySQL
حداقل سابقه کار
- سه تا شش سال
جنسیت
- مهم نیست
وضعیت نظام وظیفه
- معافیت دائم پایان خدمت