The Senior Penetration Tester / Information Security Vulnerability Management Specialist makes decisions based on operational status and project requirements and will make recommendations to management based on actions taken, current status and potential exposure and/or risks. The Specialist will continue to be engaged with management to provide updates and status to help clarify any decision that is needed to be made about a current security risk exposure or operational stability. Will also be responsible for performing operating system, 3rd party application and internally developed application penetration testing and vulnerability assessments.
Other responsibilities will include:
• Responsible for performing operating system, 3rd party application and internally developed application penetration testing and vulnerability assessments.
• Collaborates with other technical leads (Network, Server, and Application), field services technicians, project managers and data center operations and technical subject matter specialists to integrate security controls into a cohesive architecture that sufficiently mitigates risk to the company. Specialist must have critical thinking skills.
• Mentors and coaches other Security Analysts to provide guidance and expertise in their growth.
• Consistently demonstrates regular, dependable attendance & punctuality.
• Regular, dependable attendance & punctuality.
• Bachelor’s Degree and 5-7 years of experience in IT or Information Security or an equivalent combination of education and experience.
• Experience with vulnerability assessment and penetration testing tools (such as nmap, Nessus, Qualys, eEye Retina, Metasploit, OpenVAS, OpenSSL, CoreImpact, WebInspect, etc.) and manual testing.
• Remediation experience with patching and/or mitigation for findings for all of the aforementioned testing/assessments
• Risk assessment experience with computer systems and applications.
• Best practice and architecture experience with computer systems and applications.
• Expert level skills in manual methodologies and tools to perform the previous tasks.
• One or more Certifications such as: CISSP, OSCP, OSCE, OSWE, GWAPT OSWP, OSCE, GSEC, GISP, GPPA, GCUX, GCWN, GCED, GPEN, GSNA, GAWN, GXPN, or GSE.
• Understanding of risk assessment methodologies and assist with coordinating discussions with other teams.
• Maintaining metrics in addition to leading and analyzing security reporting.
• Strong knowledge of TCP/IP, HTTP, FTP, cookies, authentication, vulnerability scanning, web servers, SSL/encryption and reporting packages.
• Knowledge or skill to be able to provide remediation guidance for vulnerabilities found from either manual testing or from the tools previously mentioned.
• Able to create risk remediation reports.
• Ability to understand, analyze and correlate technical vulnerabilities and implement counter-measures to mitigate them.
• Identify common network and web site attacks such as SQL injection, cross site scripting, remote file inclusion and cookie manipulation.
• An advanced understanding of web applications authentication, session management, forms submission, etc.
• An understanding of a wide array of server grade applications to include DNS, SMTP, IIS, Apache, LDAP, SQL, etc.
• Have an understanding and working knowledge of regulatory and audit mandates to ensure environments meet PCI, FFIEC, SOX and corporate standards.
• Ability to work a flexible schedule based on department and company needs.