Web Penetration Tester

Job Responsibilities

• Conduct highly complex security audit and offensive security operations testing  consistent with known adversary tactics techniques and procedures and  contribute to the development of objectives and approaches taken to  remediate risk
• Document security issues and impacts identified  through offensive operations in a clear and concise manner to facilitate  reporting to impacted stakeholders
• Provide guidance and  recommendations to stakeholders responsible for security remediation  actions to close identified gaps and remediation validation testing
• Consult with defensive operations teams on adversary tactics to guide and mature cyber defensive countermeasures
• Independently handle complex issues with minimal supervision, while escalating only the most complex issues to appropriate staff
• Other duties as assigned, assist in scoping and executing prospective engagements
• Understand  and safely use various open source penetration testing tools and when  appropriate, emulating hacker tactics, techniques, procedures
• Develop comprehensive and accurate reports and presentations for various consumers of penetration testing results
• Estimated work load is 1-3 assessments per month, consisting of a 1-2-week assessments including report writing
• While  in-between assessments, you will be expected to improve any existing  processes, develop tools, and potentially find new clients and  perspective hires
• Develop scripts, tools, or methodologies to enhance MSI’s penetration testing processes
• Assist in scoping and executing prospective engagements
• Understand  and safely use various open source penetration testing tools and when  appropriate, emulating hacker tactics, techniques, procedures
• Develop comprehensive and accurate reports and presentations for various consumers of penetration testing results
• While  in-between assessments, you will be expected to improve any existing  processes, develop tools, and potentially find new clients and  perspective hires
• Develop scripts, tools, or methodologies to enhance MSI’s penetration testing processes
• Understand complex computer systems and technical cyber security terms
• Work  with clients to determine their requirements from the test, for  example, the number and type of systems they would like testing
• Plan and create penetration methods, scripts and tests
• Carry out remote testing of a client's network or onsite testing of their infrastructure to expose weaknesses in security
• Simulate security breaches to test a system's relative security
• Create reports and recommendations from your findings, including the security issues uncovered and level of risk
• Advise on methods to fix or lower security risks to systems
• Present your findings, risks and conclusions to management and other relevant parties
• Consider the impact your 'attack' will have on the business and its users
• Understand how the flaws that you identify could affect a business, or business function, if they're not fixed.
• Operate a hands-on role involving penetration testing and  vulnerability assessment activities of complex applications, operating  systems, wired and wireless networks, and mobile applications/devices
• Develop and maintain security testing plans
• Automate penetration and other security testing on networks, systems and applications
• Develop  meaningful metrics to reflect the true posture of the environment  allowing the organization to make educated decisions based on risk
• Produce actionable, threat-based, reports on security testing results
• Act as a source of direction, training, and guidance for less experienced staff
• Mentor and coach other IT security staff to provide guidance and expertise in their growth
• Consult  with application developers, systems administrators, and management to  demonstrate security testing results, explain the threat presented by  the results, and consult on remediation
• Communicate security  issues to a wide variety of internal and external “customers” to include  technical teams, executives, risk groups, vendors and regulators
• Deliver  the annual penetration testing schedule and conducting awareness  campaigns to ensure proper budgeting by business lines for annual tests
• Foster and maintain relationships with key stakeholders and business partners.

Job Requirements

• Ability to identify and exploit web vulnerabilities (XSS, CSRF, sqli, SSRF, arbitrary file upload, etc.)
• Ability to identify and exploit mobile vulnerabilities (REST and graphql API issues, insecure storage, memory corruption, deep links, etc.)
• Network penetration testing experience, VPS and shared server configurations and  vulnerability findings
• Linux security and types of attack (Malware, Sniffing attack, Brute-force attack, SQL injection, Cross-site scripting (XSS), No function-level control, broken authentication) experience.
• Familiarity with programming languages like python and JavaScript.
• Protocol analysis and CTF experience
• Experience Penetration Testing Tools Air crack-ng, Burp Suite, Cain and Abel, CANVAS by Immunity, John the Ripper, Metasploit, SQL map, Nmap, Astra Pentest. 
• Secure coding  review and audit practices
• Cryptography and  hashing experience
• Reading and writing assembly (x86 and ARM)
• Binary analysis tools and debuggers (IDA Pro, Ghidra, windbg, etc.)
• Exploit Development and Web application penetration testing
• Mobile application penetration testing
• Source code vulnerability analysis and Serious problem-solving skills
• An in-depth understanding of computer systems and their operation
• Excellent spoken and written communication to explain your methods to a technical and non-technical audience
• Attention to detail, to be able to plan and execute tests while considering client requirements
• The ability to think creatively and strategically to penetrate security systems
• Good time management and organizational skills to meet client deadlines
• Ethical integrity to be trusted with a high level of confidential information
• The ability to think laterally and 'outside the box'
• Teamwork skills, to support colleagues and share techniques
• Exceptional analytical and problem-solving skills and the persistence to apply different techniques to get the job done
• Business skills to understand the implications of any weaknesses you find
• Commitment to continuously updating your technical knowledge base.

Minimum qualifications

• Bachelor’s degree in Computer science, Software Engineering and related field or equivalent experience in pen testing and ethical hacking.
• 3+ years of experience in security principles such as attack frameworks, threat landscapes, and attacker tactics, techniques and procedures
• Experience in offensive security, with the ability to think like an adversary
• Strong ability to identify and exploit security gaps/vulnerabilities on endpoint devices, applications, and networks
• Strong experience in operating system and application security hardening and best practices
• Strong investigative mindset with an attention to detail
• Experience with multiple operating systems to include Windows, Mac OS, Unix/Linux, and mobile platforms
• Experience  conducting assessments for solutions consisting of a variety of  technology stacks and architectural implementations and hosting  providers
• Exposure and understanding of enterprise solutions from a functional and security perspective
• Bachelor’s degree (or equivalent) in a technical field
• Minimum of one (GPEN, CEH, and/or GWAPT) certification required
• Must have or be willing to get Offensive Security Certified Professional (OSCP) certification within 6 months
• Web Application Penetration Testing
• Email, phone, or physical social-engineering assessments
• Shell scripting or automation of simple tasks using Java script, Python, or Ruby
• Developing, extending, or modifying exploits, shellcode or exploit tools
• Reverse engineering malware, data obfuscators, or ciphers
• Source code review for control flow and security flaws
• Strong knowledge of tools used for wireless, web application, and network security testing including REST and graphsql API.
• Thorough understanding of network protocols, data on the wire, and covert channels
• Solid understanding of Unix/Linux/Mac/Windows operating systems, including bash and PowerShell.

Certification

The ideal candidate has achieved multiple industry certifications, and at least one advanced level certifications (OSCP, OSWE, GWAN, OSWP, or equivalent).  

• Certified Expert Penetration Tester (CEPT)
• Certified Mobile and Web Application Penetration Tester (CMWAPT)
• Certified Red Team Operations Professional (CRTOP)
• CompTIA PenTest+
• EC-Council Certified Ethical Hacker (CEH)
• EC-Council Licensed Penetration Tester — Master (LPT)
• GIAC Certified Penetration Tester (GPEN)
• GIAC Exploit Researcher and Advanced Penetration Tester (GXPN)
• GIAC Web Application Penetration Tester (GWAPT)
• IACRB Certified Penetration Tester (CPT)
• Offensive Security Certified Professional (OSCP)
•  Candidates should have 3+ years of experience performing penetration tests

How to Apply

By Email Address >> [email protected]