Senior Application Penetration Tester
Chubb
- Θεσσαλονίκη
- Μόνιμη
- Πλήρης Απασχόληση
- Manage the overall vulnerability remediation status of the global application portfolio
- Primary point of contact with IT application development teams for remediation related matters
- Accurately track vulnerability remediation efforts
- Hold regular status calls with portfolio leads as necessary to maintain a consistent channel of communication
- Follow up on overdue vulnerabilities with portfolio leads
- Manage global application risk rating processes
- Ensure timely risk scoring of new and changing applications
- Ensure enterprise application repository information is up to date with security and risk information
- Create and distribute regular vulnerability status reports to portfolio leads and CIOs
- Provide recommendations for automation or other process improvement suggestions for operational processes
- Prior experience with managing Information Security projects
- Bachelor's Degree in Computer Science, Engineering, or other Engineering or Technical discipline or equivalent relevant experience
- Minimum of 2 years' professional experience performing web application pen testing, API endpoint testing and, mobile penetration testing (IOS & Android).
- Knowledge with prioritizing remediation activities with operational teams through risk ratings of vulnerabilities and assets
- Knowledge of industry standards regarding vulnerability management including Common Vulnerabilities and Exposures (CVE) and Common Vulnerability Scoring System (CVSS)
- Knowledge of technology and security topics including network security, wireless security, application security, infrastructure hardening and security baselines, web server and database security
- Knowledge of penetration testing principles, tools, and techniques.
- Working experience with industry frameworks (OWASP, NIST, etc.)
- Comfortable working outside their comfort zone with a willingness to learn
- Excellent verbal and written communication skills
- Strong analytical skills
- Strong team player with ability to work independently
- Strong project management skills and ability to multi-task
- Self-motivated with strong initiative
- Knowledge of computer networking concepts and protocols, and application security methodologies
- Skill in performing impact/risk assessments
- Good understanding of secure SDLC, data protection, information security principles and exploit/ attack techniques.
- Familiar with all basic concepts related to networking, applications, operating system functionality and be able to apply application logic manipulation, bypassing security controls and exploit development.
- Assist with scoping engagements, leading from kickoff through remediation, and track vulnerabilities as per timelines.
- Improve operational efficiency by building and evaluating workflow processes, procedures, checklists, automation, and tooling.
- Security testing tools including Kali Linux, Metasploit, Nmap, Burp Suite, OWASP ZAP Proxy, Santoku, MSF, GenyMotion, Appie, APK tool, JD-GUI, SQL Map, etc.
- Skilled in identifying OWASP TOP 10 (Web & Mobile) vulnerabilities.
- Develop secure coding checklist to applications based on OWASP ASVS (Application Security Verification Standards).
- Lead and execute security assessments to identify business risk, likelihood and impact an attacker may have on the system due to bad coding errors and weak or missing security controls.
- Experience with conducting reverse engineering on mobile applications, identifying hard coded passwords, SQLi and key chain distributions including applications with anti-emulator and obfuscation protections.
- Experience conducting full-scope assessments and penetration tests including - social engineering, reverse engineering, server & client-side attacks and web & mobile application exploitation.
- Identify and prioritize key risk areas balancing the business risk and cyber threats.
- Code analysis for control flow, bypass application logics and security flaws.
- Utilize attacker tools, tactics, and procedures used to perform analysis and identify vulnerabilities.
- Validate security weaknesses, research new attack techniques, develop custom scripts, exploits, tools, and methodologies to enhance penetration testing processes etc.
- Identify and demonstrate vulnerabilities that may be used by an adversary to exploit components of the target systems.
- Analyze security findings, including risk analysis and root cause analysis.
- Risk rate the vulnerabilities based on actual impact to the business.
- Ability to document security weaknesses, including steps to reproduce and explain technical details in a concise, understandable manner.
- Develop comprehensive and accurate security penetration reports.
- Research and formulate practical short and long term remediations for vulnerabilities.
- Effectively communicate findings and strategy to business stakeholders, including technical and executive leadership.
- Work closely with development teams to ensure closing of remediated vulnerabilities until deployed to production.
- Ability to maintain and develop dashboards to track the status of security vulnerabilities.
- Follow up on the overdue vulnerabilities to meet the compliance requirements.
- Good to have security certifications: GIAC Web Application Penetration Tester (GWAPT), GIAC Penetration Tester (GPEN), Licensed Penetration Tester (LPT), Certified Ethical Hacker (CEH), OSCP or OCWE, etc.
- Active team player with interpersonal, collaborative, and consultative skills.
- Strong, clear, and concise verbal and written communication skills
- Ability to adapt, reprioritize project work, and help drive the team's focus as priorities shift or requirements change