The Vulnerability and Penetration Testing Engineer utilize extensive experience, standardized and custom testing tools, threat intelligence information, and risk management concepts during the assessment process to deliver prioritized findings based on projected business impact.
The role holder will provide extensive post-analysis consulting, both written and verbal, to constituents to ensure all parties adequately understand the findings and how to successfully remediate the vulnerabilities. The role holder will also engage in ongoing industry, technology, and threat research to ensure the Firm maintains an effective assessment program capable of protecting the confidentiality, integrity, availability, and recoverability of information, systems, and facilities in compliance with organizational policies and standards.
The Security Architect, Vulnerability, and Risk Assessment evaluates the security posture of systems, processes, and applications to identify vulnerabilities that expose the Firm to risk as defined and quantified by the Firm’s Risk Management Framework and ISMS Policy.
- Serve as the subject matter expert within the Firms VAPT team
- The individual will critically analyze proposed and existing solutions for adherence to recognized standards of secure system design, including requirements resulting from the ISMS Policy, client contracts, the regulatory environment, and professional obligation
- Architect, implement, and support assessment solutions identified as necessary for the protection of Firm assets
- Provide effective oversight and guidance for other VAPT team members
- Continually evaluate relevant products, tools, scripts, and techniques that improve existing assessment capabilities
- Prioritize assessments to maximize risk reduction efforts relative to business impact and resource availability
- Develop comprehensive and understandable assessment reports that effectively summarize findings and recommendations
- Assist constituents with remediation activities by acting in a consulting role, retesting as needed
Skills and Experience:
- Commanding knowledge of VAPT concepts and best practices, including the requirements for WhiteHat/ethical hacking.
- Expert understanding of the difference between a vulnerability assessment and a penetration test in the context of assessment scope, objectives, and deliverables
- Extensive experience with common automated VAPT tools such as Nessus, Appscan, Burp Suite, Nipper, and Trustwave
- Proficiency with other common attack tools and frameworks such as Wireshark, Kali, and Metasploit, etc.
- Proficiency with mobile platform security technology, including vulnerability identification and exploitation tools as well as mobile platform security best practices, frameworks, etc.
- Ability to validate the presence of identified vulnerabilities with accuracy
- Expert understanding of security concepts, technologies, controls, and best practices
- Working knowledge of information security frameworks such as ISO27001, NIST, and CIS
- Ability to synthesize contract language and convert such language to controls
- Authoritative understanding of security threats, qualitative and quantitative risk valuation models, and effective tools, tactics, and techniques for risk reduction
- Expertise with risk management principles in the context of application assessments
- Authoritative understanding of underlying application technologies to assist with robust assessment strategy
- Authoritative understanding of principles, theories, techniques, and methods of information system analysis and programming, particularly secure coding practices
- Thorough knowledge of data processing and data communications concepts and services
- Working knowledge of encryption technologies and standards, both at-rest and in-flight
- Expert analysis skills, including the gathering and analyzing of facts, formulating objective conclusions modified by subjective and experience-based qualifiers when appropriate, defining problems, and promoting solutions
- Ability to adapt, integrate, and modify existing programs or vendor-supplied package programs for use with existing information systems
- Proficient in the delivery of training and informational sessions to technical and non-technical constituencies
- Expert analytical skills, including the gathering and analyzing of facts, formulating objective conclusions modified by subjective and experience-based qualifiers when appropriate, defining problems, and promoting solutions
- Proficient in oral and written English
- Ability to be productive and maintain focus without direct supervision
- GPEN, OSCP, GWASP, GMOB or equivalent preferred
- CISSP, SSCP, CISM, CRISC, CISA, or CGEIT optional