This is a key role within the application delivery team, validating the security of the application throughout the SDLC. The candidate will work closely with architects, tech leads, IT security team, testing team, and product owners to understand the requirements, design and develop appropriate security abuse cases, execute, and produce reports.
Responsibilities
Conduct technical scoping of security testing activities required in a project.
Define abuse cases, and Execute security tests using a broad range of tools to discover and exploit possible vulnerabilities and weaknesses within cloud, on-prem and hybrid environments
Bring in appropriate tools to the organization and set up relevant testing configurations to enhance practical testing processes.
Perform controlled and methodological attempts to exploit identified vulnerabilities, simulating real world attacks. Manual Pen testing.
Perform application security assessments using industry standards OWASP ASVS, NIST, PCI DSS.
Analyze and understand the impact and severity of exploits. Determine the risk and consequences that could result from these vulnerabilities.
Document findings and remediation recommendations and collaborate with security consulting team and architects to ensure vulnerability findings are successfully and efficiently addressed.
Provide guidance on implementing and/or improving secure software development processes
Stay up to date with latest security vulnerabilities, techniques and industry best practices.
Typical security testing activities:
o Conduct comprehensive penetration testing and vulnerability assessment on our network, system, and application.
o Conduct Vulnerability Assessment of applications to identify potential security risks. This involves using various industry tools like, Burp, Kali Linux, nmap, ZAP, Metasploit, wireshark, SQLMap, fuzzing tools and other open source tools.
o Software/Web Application Penetration Testing
o API penetration testing
o Mobile Application Penetration Testing
o Network Penetration Testing
o SAST and DAST
Requirements
Bachelor's degree in computer science or related field
Candidate should have 5+ years of experience of application security testing
Experience with security and architecture testing and development frameworks, such as the Open Web Application Security Project (OWASP), Open-Source Security Testing Methodology Manual (OSSTMM), the Penetration Testing Execution Standard (PTES), Information Systems Security Assessment Framework (ISSAF), and NIST SP800-115
Familiarity with security testing techniques such as threat modeling, network discovery, port and service identification, vulnerability scanning, network sniffing, penetration testing, configuration reviews, firewall rule reviews, social engineering, wireless penetration testing, fuzzing, and password cracking and can perform these techniques from a variety of adversarial perspectives (white-, grey-, black-box)
Experience with discovering, utilizing, and possibly writing exploits for such vulnerabilities as buffer and stack overflows
Familiarity with the logistics of security testing such as acquiring authorization for testing, reporting, risk analysis of findings, data handling, and legal considerations
Certified Ethical Hacker (CEH); GIAC Certified Penetration Tester (GPEN); Offensive Security Certified Professional (OSCP); or equivalent development or testing certification (ECSA, CEPT, CPTE, CPTS, etc.) certifications