Assistant Manager/Senior Executive, Offensive Engineering
1 day ago
The Offensive Engineering Analyst will be responsible to conduct vulnerability assessment/penetration tests of Income internal/external web, mobile an..
The Offensive Engineering Analyst will be responsible to conduct vulnerability assessment/penetration tests of Income internal/external web, mobile and web service applications and execute simulated security testing against corporate web applications, networks, and infrastructure. This role will come under the IT Risk and Security department, reporting to the Senior Manager of Cyber Assurance.
Key Responsibilities
- Coordinate with external vendors to conduct application security/penetration tests of Income internal/external web, mobile and web service applications, leveraging both manual techniques as well as automated tools in order to uncover and report security vulnerabilities that exist and liaising with systems & applications owners on follow up actions.
- Perform vulnerability scanning/discovery, tracking of remediation SLA and vulnerability fix verification in support of the remediation
- Plan and scope the internal Red Teaming program to conduct red teaming exercises and execute adversarial simulations mimicking real-world threat actors (APTs, insider threats, etc.) against Income environment using tools and manual techniques.
- Conduct compliance audit on Income Systems and Devices hardening standards.
- Perform risk assessment and recommend mitigations on vulnerability findings when remediation is not possible.
- Administer security tools and service providers.
- Support the running of bug bounty and vulnerability disclosure programs.
- Conduct meetings to communicate the findings and implications to stakeholders and track remediation status and outcomes.
- Undertake other projects and tasks that may be assigned by management.
Qualifications
- Bachelor's Degree with more than 5 years of experience in technology, information or cyber risk management, information security or enterprise architecture.
- Minimum of three years years of experience in offensive security (Red Teaming, Penetration Testing, or related fields).
- Minimum of two years direct information security experience in penetration testing, vulnerability assessment, threat hunting, red teaming or similar roles.
- Strong background in application development, web application technologies and architectures, application security testing or vulnerability assessment.
- Familiar with penetration testing steps, methods, procedures, and excellent in using penetration testing tools.
- Familiar with attack techniques and methods, common security vulnerabilities and threats of network and application systems, and competent in identifying and evaluating these vulnerabilities and threats with existing tools.
- Equipped with programming skills in Java, .NET or Python.
- Relevant industry certifications such as CEH, OSCP, OSCE, GPEN, GWAPT, CREST CRT certifications is preferred.
Competencies
- Hands-on experience on vulnerability assessment tools (Preferably Tenable and others such as Qualys, Rapid7).
- Working knowledge on industry standard scoring models such as CVSS.
- Working knowledge on SAST, DAST, IAST, SCA and DevSecOps.
- Familiarity with penetration testing techniques (eg web application proxies, packet capture analysis software, browser extensions, penetration testing Linux distributions, static source code analyzers, SoapUI, etc).
- Good understanding of adversary tactics, techniques, and procedures (TTPs), such as those outlined by MITRE ATT&CK.
- Good understanding of offensive security tools (e.g., Cobalt Strike, Metasploit, Burp Suite, BloodHound, Mimikatz).
- Good written skills and able to effectively communicate security and risk-related concepts to technical and non-technical audiences.
- Work well under pressure and demonstrate the ability to meet tight deadlines.
- Able to work independently and in a team-oriented, collaborative environment.
Official account of Jobstore.