Description
Penetration Tester - is required by my client who is based in London.
Skills and Experience
Technical Skills
- Several years of experience of performing security assessments web and/or service based applications, preferably hands-on blue team experience with financial applications that are Internet facing.
- Knowledge of OWASP Top Ten/SANS 25 issues and understanding the best practice software engineering approaches to prevent issues.
- Experience performing application security testing using manual/automated techniques leveraging internal knowledge sources such as talking to development teams and review of source code to maximise coverage.
- Experience with conducting fuzz testing and have an establish security assessment methodology.
- Experience working with C#, .NET, .NET Core, C++ applications.
- Understanding of the latest vulnerability classes, awareness of the techniques observed in the wild to compromise systems, ability to simulate for testing exercises across infrastructure/systems.
- Ability to write tools to assist with application security testing coverage, experience with rapid instrumentation tools such as Frida or leveraging in-house development code - desirable/useful.
Desirable Certifications
- OSEE, OSCE, OSWE, GXPN, GWAPT, OSCP, GPEN or equivalent.
Responsibilities
- Conduct security architecture design reviews with development teams as a subject matter expert to ensure that appropriate security controls are implemented, ensure secure by design approach is maintained in SDLC.
- Conduct application security assessments and penetration tests (client applications, web applications, web service, API, etc.) to verify security posture of systems.
- Conduct assessments based on context of applications using manual/automated testing and analysis techniques. We expect you to have experience conducting assessments with appropriate toolsets and be versatile based on application context, ie leveraging BurpSuite for a web application or custom built fuzzing tools to verify protocol implementations.
- Document identified findings with established severity rating framework, provide recommendations for potential short term mitigation and long term remediation options to stakeholders.
- Communicate issues to stakeholders across the business to manage security posture of applications according to Client C.I.A goals.
- Lead application security related initiatives, such as continuous improvement of Client security posture by improving the SDLC, standardisation of secure implementations that can be leveraged across application suite etc.
- Review current threat landscape by monitoring the latest developments in the security industry, vulnerability notifications from threat intelligence sources or CVE advisories according to impact to Client infrastructure/application suite.
- Assist Client's Operational Security and provide support for the team on key security initiatives (eg annual phishing awareness tests, SIEM improvements, general security domain activities).
- Provide on-the-job training and mentoring to other members of the Client team.
Mercator IT Solutions provides services as an agency and an employment business