Penetration Test Engineer
Telecommuting position.
As a penetration tester on our team, you will:
• Perform application penetration testing, vulnerability assessments and application source code review against custom built software applications on Internet-facing and native systems
• Identify and exploit vulnerabilities in applications
• Document technical issues identified during security assessments utilizing standard CWE and CVSS classifications
• Research emerging security topics and new attack vectors
• Work independently to meet customer and project deadlines
• Interact with customers in a collaborative consultative manor to deliver results, provide feedback and remediation recommendations on penetration testing findings.
• Leverage automated analysis techniques for efficient delivery of focused and comprehensive test formats.
Senior Level Applicants:
CONTACT: David Steinbach , HRDotCom.com, 978-857-8661, dsteinbach@HRDotCom.com
Required Knowledge/Skills/Abilities:
• 2+ years of Professional Web-Application Development or Source Code Review Experience
• Development experience with multi-tiered Internet applications
• Understands web architecture and protocols (HTTP(S), TCP/IP, ARP, SMTP, DNS, etc)
• Development and/or source code review experience in C/C++, C#, VB.NET, ASP, PHP, and Java
• Understands of how data flows through an application and connected components (SMTP, LDAP, Database servers)
• Understanding of common software security issues and remediation techniques (OWASP top 10, SANS top 25, etc)
• Familiar with common Windows commands and scripting
• Familiarity with general application and network security concepts
• Strong technical writing skills
• Excellent teaming and communication skills
All of the above Plus:
• 5+ years of penetration testing in a consulting environment
• 3+ years of source code review in a consulting environment
• Familiar with OWASP Top 10 and CWE/SANS Top 25 classification systems
• Familiar with profiling an application, identifying threats, and developing test cases to target identified threats
• Familiar with developing proof-of-concept exploit examples to use within reports or live demonstrations
• Familiar with documenting and communicating results that may be consumed by both developers and management-level audiences
• Familiar with testing not only web applications, but natively compiled applications, mobile applications, and web services
• Familiar with writing tools to aid in penetration testing
• Familiar with using tools such as:
• Intercepting proxies (i.e. Burp Proxy, Charles Proxy, Webscarab Proxy, Paros Proxy, etc)
• Web Service Testing Tools (i.e. soapUI)
• Disassemblers/Decompilers/Debuggers (IDA Pro, OllyDbg, WinDbg, jad, flare/flasm, SoThink SWF Decompiler, Firebug, etc)
• IDEs (i.e. Visual Studio or Eclipse)
Nice, but not necessary:
• University degree from an accredited college or university in Computer Science, Information Systems, Engineering or related major
• Experience developing custom scripts or tools used for vulnerability scanning and identification
• Consulting and/or project management experience
• Unix, Windows, or networking security experience
• Development and/or source code review in Flash/Flex and SharePoint Technologies
• Development and/or architecture familiarity mobile applications, specifically iOS, Android and Blackberry
