The role of Penetration Tester is ensuring those without authorization cannot access an organization’s data by performing a hack into the application, systems, database, networks, mobile apps, and any other means to access corporate information in order to identify potential vulnerabilities in the system.
- Conduct scenarios and tests in networks and applications, and perform security tests on networks, web/mobile-based applications, and computer systems.
- Conduct physical assessments of servers, systems, and network device security. Look for ways to exploit vulnerabilities and design solutions to security issues like temperature, humidity, vandalism, and natural disasters.
- Conducts security audits to ensure minimum security setting implementation.
- Organizations enforce security policies that identify procedures and rules for accessing and using their IT resources, and analyze these policies for effectiveness, make suggestions on security policy improvements, and work to enhance methodology material
- Write or create the security assessment report
- Responsible to establish and secure SDLC (security on software development lifecycle) and operation validation to software cycles.
- Responsible for attack analysis, application and business attack detection, response and handling mechanism establish, implementation and operation.
- Recognizes problems by identifying abnormalities and reporting violations, responsible for application and business security test and security tools building
- Responsible for establishing vulnerability remediation mechanism and implements security improvements by assessing the current situation, evaluating trends, and anticipating requirements.
- Execute planned operations against the corporation for the purpose of training incident response teams
- Respond to threats in real-time and manage the response mechanisms through their lifecycle.
- Document and present results to a variety of target audiences, ranging from highly technical engineers over to non-technical subject matter experts to senior leadership
Requirement:
- At least 3 years of hands-on penetration testing experience
- At least one year of web and mobile application penetration testing experience
- Preferable to have CEH certification and OSCP Certification is a plus
- Demonstrated enthusiasm for Information Security (e.g. GitHub repo, blogs, presentations, conference talks, a local security association member, participated in free skill-building / hacking challenges – SANS Holiday Hack, HackerOne CTF, HackTheBox.eu, etc.)
- Competency in common operating systems (e.g. Windows, macOS, Linux)
- Proficiency with at least two scripting languages (e.g. Python, Bash, JavaScript, PowerShell)
- An understanding of cloud computing models, technologies, and concepts
- Knowledge of PCI and ISO 27001 programs
- A passion for identifying and exploiting vulnerabilities
- Demonstrated entrepreneurial abilities, client focus, industry savvy, and the ability to work independently or as part of a collaborative team
- Self-driven in a working environment, motivation to continuously improve your skillset
- Security, Software Development, Networking, and/or Systems Administrator Experience
- Deep understanding of 3-tiered Web Application and Mobile Application Architectures
- Manual Penetration Testing Experience (i.e. mapping applications, injecting SQLi, XSS, XXE, exploit creation)
- Must have Commercial Web Application Tool Experience (i.e. BurpSuite, AppScan, WebInspect)
- Network Penetration Testing Tool Experience (i.e. Nmap, Nessus, Wireshark, Metasploit, Hydra, John)
- Source Code Review (aka Static Analysis) Experience
- Mobile Application Penetration Testing (i.e. iOS, Android, Windows, Blackberry)
- Exceptional communication skills, with the ability to explain the technical details of OWASP Top 10 and other vulnerabilities from C-levels to developers in a large professional environment
