Principal, Cybersecurity Penetration Tester

About The Position

Requirements

• Bachelor’s degree in Computer Science, Engineering, Information Technology, Information Systems, or a closely related field (or foreign education equivalent) and five (5) years of experience as a Principal, Cybersecurity Penetration Tester (or closely related occupation) performing black and white box testing to protect against cyber threats and ensure application security (web, mobile, API, and thick client).
• Master’s degree in Computer Science, Engineering, Information Technology, Information Systems, or a closely related field (or foreign education equivalent) and three (3) years of experience as a Principal, Cybersecurity Penetration Tester (or closely related occupation) performing black and white box testing to protect against cyber threats and ensure application security (web, mobile, API, and thick client).
• Demonstrated Expertise (“DE”) estimating risks on security flaws uncovered during static or dynamic analysis in line with the OWASP testing guide.
• Conducting pen-testing on applications to uncover security vulnerabilities - Injection attacks, Server-side attacks, Privilege escalation, GraphQL batching attacks, or JWT signature manipulation attacks - using BurpSuite Professional Edition, Fiddler, Kali Linux, and SQLMap.
• DE analyzing source code for security weaknesses, writing custom scripts, exploiting security vulnerabilities, and conducting retests to determine mitigation measures implemented by development teams, through a combination of manual analysis by using BurpSuite Professional, and automated scans using GitHub Advanced Security(GHAS) and MEND.
• DE analyzing Common Vulnerability Exposure (CVE) on third party libraries, using Veracode SCA, MEND, Exploit-DB, and NVD databases.
• Coordinating actions associated with the dismissal or reopening of policy violation alerts related to security, licensing, and coding standards using GitHub Advanced Security (GHAS).
• DE crafting custom scripts to effectively automate labor-intensive manual tasks (logging security findings, preparing weekly status reports, verifying artifact correctness) and empower the efficient allocation of resources, enhancing the overall security assessment process, using Python or Selenium.

Responsibilities

• Performs advanced Web application source code auditing.
• Analyzes codes, writes scripts, and exploits web vulnerabilities.
• Analyzes test results, draw conclusions from results.
• Identifies vulnerabilities by performing thorough evaluations of security vulnerabilities on Web and mobile applications.
• Collaborates with application developers to mitigate risk and improve security posture.
• Performs security testing on web and mobile applications to support production releases.
• Models potential external threats by replicating the techniques and tools used by malicious attackers.
• Prepares reports on completed assessments and present results to application owners, developers, and business unit information security teams.
• Consults with operations and software development teams to ensure potential weaknesses are addressed.
• Contributes to the research and development of tools to assist in the vulnerability discovery process.
• Keeps abreast of current cybersecurity best practices and vulnerabilities.
• Conducts peer reviews to facilitate continuous improvement across the team.