Security Engineer - Penetration Tester
Security Engineer – Penetration Tester
- Analyze organization's cyber defense policies and configurations and evaluate risk and compliance with regulations and organizational directives.
- Conduct\Support\oversee authorized penetration testing on enterprise network assets.
- Prepare and review reports that identify technical and procedural findings, and provide recommended remediation strategies/solutions;
- Perform risk analysis; Measure effectiveness of controls against known vulnerabilities.
- Work with stakeholders (system administrators and owners) to manage risks\vulnerabilities.
- Perform technical (evaluation of technology) and non-technical (evaluation of people and operations) impact\risk and vulnerability assessments of relevant technology focus areas (e.g., local computing environment, network and infrastructure, supporting infrastructure, and applications).
- Identify systemic security issues based on the analysis of vulnerability and configuration data.
- Make recommendations regarding the selection of cost-effective security controls to mitigate risk (e.g., protection of information, systems and processes).
- Ensure remediation plans are in place for vulnerabilities identified during risk assessments, audits, inspections, etc.; Provide clear updates to management on vulnerabilities; Investigate, document, and report on status and emerging trends.
- Maintain up-to-date vulnerability profiles, including respective detection and countermeasures.
- Participate in industry task forces and working groups where appropriate to understand current and emerging vulnerabilities to stay up to date.
- Risk management processes (e.g., methods for assessing, mitigating and accepting risks).
- Cybersecurity principles, security models, organizational requirements (w.r.t. confidentiality, integrity, availability, authentication, non-repudiation), cyber threats, risks and vulnerabilities, cryptography and cryptographic key management concepts, host/network access control mechanisms (e.g., ACLs), network access, identity, & access management (e.g., PKIs), Computer networking concepts and protocols, and network security methodologies.
- Ethical hacking principles, general attack stages; Specific operational impacts of cybersecurity lapses; programming language structures and logic.
- Basic system administration, network, and operating system hardening techniques.
- Minimum 5 years’ experience in at least 3 of the following:
- Use of vulnerability management and Penetration Testing tools.
- Metasploit Pro, Core Impact, OpenVAS, Burp Suite, Nmap, Sqlmap etc.
- Scripting using one or more of the following: Python, Ruby, Bash, C/C++, C#, or Java.
- Establishing\improving PenTest policies, procedures, exceptions and operations.
- Leading or participating cross functional efforts for managing organization wide risks.
- Collecting, analyzing, reporting and briefing discovered vulnerabilities.
- Use of industry-standards and widely accepted pen-testing and analysis principles and methods.
- BA or BS degree in MIS, CS, or related cybersecurity discipline (Masters preferred).