Pen-Testing Vulnerabilities Security Engineer
Posted on Jan 2, 2023 by Request Technology - Craig Johnson
*We are unable to sponsor for this permanent Full time role*
*Position is bonus eligible*
Prestigious Financial Institution is currently seeking a Pen-Testing Vulnerabilities Security Engineer. Security Red Team testers engage in targeted simulations consisting of threat intelligence gathering, network & application penetration testing, social engineering, physical security testing, mobile device testing, and more. Team members must ensure the availability and integrity of operational systems and self-disclose identified findings in a timely/proactive manner.
Candidate will have extensive experience in more than one of the following security testing domains: Open Source Intelligence, Network/Application, Web Application, Mobile Application, and Social Engineering. Experience testing database Servers as well as proficiency with custom Scripting and automation is a huge plus.
- Execute Red Team simulations based on organizationally defined threat scenarios with strict adherence to the agreed-upon rules of engagement.
- Conduct various Red Team activities such as: Intelligence Gathering, Network/Operating System/Application Penetration Testing, Web Application Penetration Testing, Mobile Application Testing, Social Engineering, Basic Emissions/Signals Testing, Physical Security Testing, etc.
- Execute Open Source Intelligence Collection and Analysis Techniques (OSINT); leverage available resources and develop custom tools.
- Understand vulnerabilities and develop relevant exploits/payloads for use during Red Team activities.
- Perform security risk assessment, threat analysis and threat modelling.
- Perform independent reviews of security, network, and applications.
- Plan/Design/Execute security related activities and create artifacts.
- Stay on-time, on-budget, and within scope of testing activities.
- Develop clear detailed reports and recommendations based on concrete evidence.
- Debrief users and provide remediation strategy on findings.
- Ensure alignment of security controls in testing program and supporting services and related policies and procedures with applicable regulations and industry standard best practices.
- Assist management with the improvement of policies and procedures to support Security Testing and Red Team activities as well as other security duties which may arise.
- Participate in developing a security roadmap, adopt security best practices, and implement new ideas and innovations according to the industry trends.
- Adhere to the best practices and work for delivering secured and quality products.
- Consult with technical experts and system owners on all aspects of Information Security and Compliance.
- Work closely with Production Support staff, Incidence Response, and IT infrastructure to increase organizational security posture.
- Support security objectives and remediation efforts relating to Security Testing.
- Supports and successfully completes Audits.
- Cross-train the other Security Red Team members.
- Cross-train other teams within Security Services and IT departments to provide subject matter knowledge of a specific adversarial threat/risk, or to assist with remediation path recommendations
- Participate in Lessons Learned process to provide information to help improve practices, methodologies, tools, and other technologies.
- Participate on various technical committees and provide input and feedback to department.
- Stay current on emerging technology trends and the threat landscape.
- Advise IT on current and emerging threats, their attack vectors, and how to mitigate them.
- Provide leadership, share knowledge and mentor team members.
- Train Full time and contingent Security Testing Red Team personnel.
- Support Security Red Team management and activities and be a team player.
- Perform other duties as assigned.
- Excellent focused domain areas of expertise as well as a good breadth of experience across Network/Application Penetration Testing, Web Application Penetration Testing, Mobile Application Penetration Testing, Social Engineering and Open Source Intelligence, Basic Emissions Testing, Physical Security Testing, and more.
- Proven due diligence and research ability via open source avenues and technology.
- Strong familiarity with enterprise technologies; strong technical background and understanding of security-related technologies; prefer operational experience as an administrator, engineer, or developer and direct experience testing in commercial cloud environments (AWS, Azure, IaaS/PaaS/SaaS).
- Good applicable knowledge of policy and procedure development, systems analysis, Information Assurance (IA) policy, vulnerability management, and risk management
- Good understanding of regulatory standards including CSF, NIST, PCI, SSAE 16, SAS 70, HIPPA, FIPS 199, COBIT 5 and others as needed.
- Strong knowledge of cryptography (symmetric, asymmetric, hashing) and its various applications.
- Strong knowledge of common enterprise infrastructure technology stacks and network configurations.
- Exhibit ability to understand and probe/exploit a diverse range of Network and Internet Protocols.
- Exhibit ability to understand and modify code in a diverse range of programming languages and frameworks; must have direct practical experience with one or more high level programming language.
- Strong proficiency in network, application, emissions and physical security.
- Strong proficiency in social engineering and intelligence gathering.
- Strong experience with custom Scripting (python, powershell, bash, etc.) and process automation.
- Strong experience with database security testing (MSSQL, DB2, MySQL, etc.).
- Strong proficiency with common penetration testing tools (Kali, Armitage, Metasploit, Cobalt Strike, Nmap, Qualys, Nessus, Burp Suite, Wireshark, Recon-NG, Netsparker, Ettercap/Bettercap, Hashcat, Bloodhound, Ida Pro, Ghidra, Sublist3r, Rubeus, Mimikatz, CrackMapExec, Exploitdb, Yersinia, Impacket, etc.).
- Experience with Mainframes, Windows, Unix, MacOS, Cisco, platforms and controls.
- Proficient in creating content with Microsoft Office (Word, Excel, PowerPoint, Visio).
- Proficient in basic document management in a Microsoft SharePoint environment.
- Experience with dedicated document management tools (eg, DMS, PolicyTech) a plus.
- Experience with using ServiceNow a plus.
- BS in Computer Science, Information Management, Information Security or other comparable technical degree from an accredited college/university desired.
- 3+ Years' experience penetration testing.
- 5+ Years' experience in Information Assurance or Information Security environment.
- Certificates or Licenses:
- Security-related certifications (CISSP, CISA, CRISK, ISSAP, GSLC, OSCP, OSCE, GPEN, or GXPN, etc.) highly desired.
Amplify your job search: