Application Security Test Engineer – Penetration Testing
CCbill needs to expand its capability to ensure security requirements are assessed early in the development lifecycle and architecture/design of the application incorporates required security measures. For this we are looking to hire an Application Security Test Engineer– (Penetration Testing) who has in-depth information security and information technology expertise, including industry knowledge and awareness of emerging technologies which impact cyber security. It requires a self-starting individual who is comfortable working across and partnering with a range of functions including Information Regulatory Compliance, Project Management, Development, Quality Assurance and Architecture to promote best information security throughout the enterprise. Typical assignments will involve in-depth testing of the security of critical applications and discover possible gaps through use threat model, source code review, application behavior analysis, and other security framework or best practices, e.g. OWASP, OSSTMM, NIST publications, SANS/CWE. The candidate will be expected to act as a subject matter expert in offensive information security specialized in web programming and applications technology.
The position reports directly to the Director of Quality Assurance and Release Engineering.
PRINCIPAL DUTIES AND RESPONSIBILITIES:
- Performs penetration tests against applications of advanced complexity, writes reports documenting report findings including all vulnerabilities, potential issues, and strengths found during the test.
- Maintains the tracking of tickets for remediation of vulnerabilities and potential issues found during penetration tests.
- Evaluates commercial and open source tools to be used for the purposes of penetration testing.
- Monitor security controls and certify the required security testing is accomplished before a feature is released to production.
- Establish a security control baseline by identifying and documenting inheritable controls, selecting and documenting security controls.
- Provides support on network security systems, including advanced endpoint security solution, application white listing, file integrity monitoring, endpoint encryption, spam filtering, firewalls, intrusion detection and intrusion prevention systems.
- Completes and processes static source code vulnerability analysis reports for in-house developed applications as directed.
- Works in conjunction with the InfoSec department to support the company's commitment to protect the integrity and confidentiality of systems and data.
- Provide technical guidance to developers on discovering and remediating software coding security vulnerabilities.
- Partner with architects and application development teams in developing secure software design.
- Apply knowledge of information security and application development industry trends and technology to drive organizational change and position to properly manage and remediate vulnerabilities.
- Provide technical expertise to research, evaluate, recommend and plan the implementation of commercial and/or open source security tools to be used for the purposes of penetration testing.
- Assist Director of QA to develop an overall IT security control monitoring/test strategy that proactively protects the integrity, confidentiality, and availability of CWIE’s enterprise data, information systems, and networks.
- Advanced knowledge of TCP/IP, networking, web applications, and databases.
- Advanced working understanding of penetration test and security assessment procedures.
- Advanced knowledge of web development and programming languages e.g. Java, .NET, Python,Perl etc.
- Advanced Knowledge of network / Infra structure security
- Advanced administration of Unix, Linux, Mac OSX, and Windows operating systems
- Advanced experience using the any of the penetration test tools available in the market. Hands on experience in manual testing and automated tools like Whitehat, Burp suite, Metasploit, Nexpose , Nessus and Wireshark.
- Advanced understanding of proxies and fuzzing techniques for various types of security assessments
- Advanced knowledge of Open Web Application Security Project (OWASP) Top 10 Vulnerabilities, testing procedures, and remediation recommendations
- Effective written and oral communication skills.
- Proven ability to research recommend and document repeatable defense solutions.
- Experience with Threat Modeling, DevOps, Secure SDLC.
- Ability to perform architecture and source code review.
- Ability to effectively present to peers, coworkers, and customers.
- Experience in analyzing and explaining business vs technical risks
- Expert at troubleshooting and diagnosing system issues.
- A high degree of flexibility and creativity to work in an increasingly ambiguous and fast paced environment.
- Ability to work in and embrace a team environment.
- Ability to work independently with minimal supervision.
- Ability to be self-motivated and exhibit a high degree of professionalism.
- Demonstrated ability to handle high levels of stress.
- Certified Ethical Hacker (CEH) / Certified Penetration Tester (CPT) or equivalent certification
- OSCP, CISSP, eCRE, eNDP eWDP or eWAPT Certification or equivalent
- Experience working in a PCI regulated software development environment.
- Bachelor's degree in Computer Science, Information Systems or other related field. Advanced degree preferred.
- Minimum of 3 years of experience in performing penetration testing and participating in designing security controls for software application systems, hardware configuration, and network architecture for an enterprise.
- This position is full time. Employee is expected to work 40 hours weekly.
- Since most of the InfoSec team is based in the US and since this position will have to interact with the team on a regular basis, the employee will be required to work between10:00 am to 6:00 pm CET.
- Employee is to report to his or her supervisor if unable to attend work.
- Ability to work overtime on rare occasions.