- Perform application and infrastructure penetration tests, as well as physical security review and social engineering tests for clients
- Perform security reviews of application designs, source code and deployments as required; covering all types of applications (web application, web services, thick client applications)
- Review and define requirements for information security improvements
- Work on improvements for provided security services, including the continuous enhancement of existing testing methodologies, materials and supporting assets
- Conduct architecture security reviews, application testing, internal vulnerability assessments and external penetration testing modeled after real world attackers (i.e., exploit and pivot)
- Conduct security architecture reviews of the full stack including applications built on cloud and emerging technologies
- Conduct manual application security testing and source code auditing for a variety of technologies.
- Provide clear and detailed risk assessment and remediation guidelines for developers and business leaders
- Other responsibilities include:
- Security research on the latest best practices, trends, threats and vulnerabilities, and technology frameworks
- Documenting and disseminating security guidelines for common security issues, remediation guidance, and security technology baselines
- Develop tools and exploits to support application security review and/or penetration testing.
- Bachelor's degree and at least 8+ years of experience in testing web applications and enterprise penetration testing.
- Experience with scripting languages (e.g. perl, python, PHP, ruby) and programming languages (e.g. JAVA, Objective C).
- Ability to explain networking concepts (routing, ACL, load balancers, SSL/TLS, TCP) in order to provide application architecture feedback to clients.
- Background in web application development and/or code auditing strongly preferred.
- Strong verbal & written communication skills.
- Passion for discovering and researching new vulnerabilities and exploitation techniquesVulnerability and threat management experience.
Experience with various security tools and products (AppScan, Nessus, Wireshark, Burp Suite, HP Web Inspect)
- Good understanding of the components of a secure DLC/SDLC
- Vulnerability analysis and application reversing skills
- Understanding of cryptography principles