Job Description
· Conduct highly complex offensive security operations testing consistent with known adversary tactics techniques and procedures and contribute to the development of objectives and approaches taken to remediate risk
· Document security issues and impacts identified through offensive operations in a clear and concise manner to facilitate reporting to impacted stakeholders
· Provide guidance and recommendations to stakeholders responsible for security remediation actions to close identified gaps and remediation validation testing
· Consult with defensive operations teams on adversary tactics to guide and mature cyber defensive countermeasures
· Independently handle complex issues with minimal supervision, while escalating only the most complex issues to appropriate staff
· Other duties as assigned
· Assist in scoping and executing prospective engagements
· Understand and safely use various open source penetration testing tools and when appropriate, emulating hacker tactics, techniques, procedures
· Develop comprehensive and accurate reports and presentations for various consumers of penetration testing results
· Estimated work load is 1-3 assessments per month, consisting of a 1-2-week assessments including report writing
· While in-between assessments, you will be expected to improve any existing processes, develop tools, and potentially find new clients and perspective hires
· Develop scripts, tools, or methodologies to enhance MSI’s penetration testing processes
· Assist in scoping and executing prospective engagements
· Understand and safely use various open source penetration testing tools and when appropriate, emulating hacker tactics, techniques, procedures
· Develop comprehensive and accurate reports and presentations for various consumers of penetration testing results
· Estimated work load is 1-3 assessments per month, consisting of a 1-2-week assessments including report writing
· While in-between assessments, you will be expected to improve any existing processes, develop tools, and potentially find new clients and perspective hires
· Develop scripts, tools, or methodologies to enhance MSI’s penetration testing processes
· understand complex computer systems and technical cyber security terms
· work with clients to determine their requirements from the test, for example, the number and type of systems they would like testing
· plan and create penetration methods, scripts and tests
· carry out remote testing of a client's network or onsite testing of their infrastructure to expose weaknesses in security
· simulate security breaches to test a system's relative security
· create reports and recommendations from your findings, including the security issues uncovered and level of risk
· advise on methods to fix or lower security risks to systems
· present your findings, risks and conclusions to management and other relevant parties
· consider the impact your 'attack' will have on the business and its users
· Understand how the flaws that you identify could affect a business, or business function, if they're not fixed.
· Operate a hands-on role involving penetration testing and vulnerability assessment activities of complex applications, operating systems, wired and wireless networks, and mobile applications/devices
· Develop and maintain security testing plans
· Automate penetration and other security testing on networks, systems and applications
· Develop meaningful metrics to reflect the true posture of the environment allowing the organization to make educated decisions based on risk
· Produce actionable, threat-based, reports on security testing results
· Act as a source of direction, training, and guidance for less experienced staff
· Mentor and coach other IT security staff to provide guidance and expertise in their growth
· Consult with application developers, systems administrators, and management to demonstrate security testing results, explain the threat presented by the results, and consult on remediation
· Communicate security issues to a wide variety of internal and external “customers” to include technical teams, executives, risk groups, vendors and regulators
· Deliver the annual penetration testing schedule and conducting awareness campaigns to ensure proper budgeting by business lines for annual tests
· Foster and maintain relationships with key stakeholders and business partners
Job Requirements
· BSc/MSc in computer science, computing and information systems, cyber security, forensic computing, network management, Computer systems engineering or related field or equivalent experience
· 3 years of experience in security principles such as attack frameworks, threat landscapes, and attacker tactics, techniques and procedures
· Minimum of one (GPEN, CEH, and/or GWAPT) certification required
· Ability to identify and exploit web vulnerabilities (XSS, CSRF, SQLi, SSRF, arbitrary file upload, etc.)
· Ability to identify and exploit mobile vulnerabilities (API issues, insecure storage, memory corruption, deep links, etc.)
· Network penetration testing experience, Protocol analysis, CTF experience, Secure coding practices,
· Cryptography, Reading and writing assembly (x86 and ARM), Physical security or red team experience
· Binary analysis tools and debuggers (IDA Pro, Ghidra, WinDbg, Embedded systems experience
· Web application penetration testing, Mobile application penetration testing
· Source code vulnerability analysis, Serious problem-solving skills
· an in-depth understanding of computer systems and their operation
· excellent spoken and written communication to explain your methods to a technical and non-technical audience
· attention to detail, to be able to plan and execute tests while considering client requirements
· the ability to think creatively and strategically to penetrate security systems
· good time management and organizational skills to meet client deadlines
· ethical integrity to be trusted with a high level of confidential information
· the ability to think laterally and 'outside the box'
· teamwork skills, to support colleagues and share techniques
· exceptional analytical and problem-solving skills & the persistence to apply different techniques to get the job done
· business skills to understand the implications of any weaknesses you find
· Commitment to continuously updating your technical knowledge base.
· Experience in offensive security, with the ability to think like an adversary
· Strong ability to identify and exploit security gaps/vulnerabilities on endpoint devices, applications, and networks
· Strong experience in operating system and application security hardening and best practices
· Strong investigative mindset with an attention to detail
· Experience with multiple operating systems to include Windows, Mac OS, Unix/Linux, and mobile platforms
· Experience conducting assessments for solutions consisting of a variety of technology stacks and architectural implementations and hosting providers
· Exposure and understanding of enterprise solutions from a functional and security perspective
· Bachelor’s degree (or equivalent) in a technical field
· Must have or be willing to get Offensive Security Certified Professional (OSCP) certification within 6 months
· Network penetration testing and manipulation of network infrastructure
· Web Application Penetration Testing
· Email, phone, or physical social-engineering assessments
· Shell scripting or automation of simple tasks using Perl, Python, or Ruby
· Developing, extending, or modifying exploits, shell code or exploit tools
· Developing applications in C#, ASP, .NET, Objective C, Go, or Java (J2EE)
· Reverse engineering malware, data obfuscators, or ciphers
· Source code review for control flow and security flaws
· Strong knowledge of tools used for wireless, web application, and network security testing
· Thorough understanding of network protocols, data on the wire, and covert channels
· Solid understanding of Unix/Linux/Mac/Windows operating systems, including bash and PowerShell
How to Apply
Let Employers Find You
Upload/Update Your CVFeatured Jobs