The Vulnerability and Penetration Testing Engineer utilize extensive experience, standardized and custom testing tools, threat intelligence information, and risk management concepts during the assessment process to deliver prioritized findings based on projected business impact.
The role holder will provide extensive post-analysis consulting, both written and verbal, to constituents to ensure all parties adequately understand the findings and how to successfully remediate the vulnerabilities. The role holder will also engage in ongoing industry, technology, and threat research to ensure the Firm maintains an effective assessment program capable of protecting the confidentiality, integrity, availability, and recoverability of information, systems, and facilities in compliance with organizational policies and standards.
The Security Architect, Vulnerability, and Risk Assessment evaluates the security posture of systems, processes, and applications to identify vulnerabilities that expose the Firm to risk as defined and quantified by the Firm’s Risk Management Framework and ISMS Policy.
Serve as the subject matter expert within the Firms VAPT team
The individual will critically analyze proposed and existing solutions for adherence to recognized standards of secure system design, including requirements resulting from the ISMS Policy, client contracts, the regulatory environment, and professional obligation
Architect, implement, and support assessment solutions identified as necessary for the protection of Firm assets
Provide effective oversight and guidance for other VAPT team members
Continually evaluate relevant products, tools, scripts, and techniques that improve existing assessment capabilities
Prioritize assessments to maximize risk reduction efforts relative to business impact and resource availability
Develop comprehensive and understandable assessment reports that effectively summarize findings and recommendations
Assist constituents with remediation activities by acting in a consulting role, retesting as needed
Skills and Experience:
Commanding knowledge of VAPT concepts and best practices, including the requirements for WhiteHat/ethical hacking.
Expert understanding of the difference between a vulnerability assessment and a penetration test in the context of assessment scope, objectives, and deliverables
Extensive experience with common automated VAPT tools such as Nessus, Appscan, Burp Suite, Nipper, and Trustwave
Proficiency with other common attack tools and frameworks such as Wireshark, Kali, and Metasploit, etc.
Proficiency with mobile platform security technology, including vulnerability identification and exploitation tools as well as mobile platform security best practices, frameworks, etc.
Ability to validate the presence of identified vulnerabilities with accuracy
Expert understanding of security concepts, technologies, controls, and best practices
Working knowledge of information security frameworks such as ISO27001, NIST, and CIS
Ability to synthesize contract language and convert such language to controls
Authoritative understanding of security threats, qualitative and quantitative risk valuation models, and effective tools, tactics, and techniques for risk reduction
Expertise with risk management principles in the context of application assessments
Authoritative understanding of underlying application technologies to assist with robust assessment strategy
Authoritative understanding of principles, theories, techniques, and methods of information system analysis and programming, particularly secure coding practices
Thorough knowledge of data processing and data communications concepts and services
Working knowledge of encryption technologies and standards, both at-rest and in-flight
Expert analysis skills, including the gathering and analyzing of facts, formulating objective conclusions modified by subjective and experience-based qualifiers when appropriate, defining problems, and promoting solutions
Ability to adapt, integrate, and modify existing programs or vendor-supplied package programs for use with existing information systems
Proficient in the delivery of training and informational sessions to technical and non-technical constituencies
Expert analytical skills, including the gathering and analyzing of facts, formulating objective conclusions modified by subjective and experience-based qualifiers when appropriate, defining problems, and promoting solutions
Proficient in oral and written English
Ability to be productive and maintain focus without direct supervision