As part of a number of hires throughout Q1, for our client in Dallas who are one of the finest technology-driven financial institutions on the planet. Led by the CISO, this core team influences and advises the entire technology division globally, responsible for detecting and preventing attempted attacks, helping to develop even more secure software, applications, and infrastructure.
In this role, you will be performing application penetration testing, application and IAC code reviews, educating development teams on secure coding practices, and evaluating system designs for potential weaknesses. The ideal candidate should have 3+ years of prior experience performing either pentest, code reviews, or cloud security assessments.
- Perform pentest of web applications, APIs, mobile applications, and thick client applications on-prem and in the cloud.
- Review application code (e.g. Java) and Infrastructure code (e.g. Terraform).
- Perform manual and automated configuration review of Cloud services.
- Leverage SAST and DAST tools and weed out false positives.
- Conduct read-out calls with the business to articulate risk and recommend a mitigation strategy.
- Develop secure architecture design patterns.
Technical Skills and Experience
- Experience in application vulnerability assessment and penetration testing of web applications, thick-client, APIS or mobile applications (iOS and Android).
- Understanding of common vulnerabilities plaguing web and mobile applications such as XXS, XSRF, SSRF, Clickjacking, HTTP Response Splitting, XXE etc.
- Assess the security of REST and SOAP based web services deployed on-prem or in the cloud.
- Expert knowledge of security risks related to web, mobile, web services, and client/server architectures.
- Experience in analysing and decomposing application architectures to identify security gaps.
- Working knowledge of application security tools such as Fuzzers, Scanners, Debuggers, De-compilers, Proxy tools, Simulators, Browser security add-ons, SSL tools, Password crackers, etc.
- Understanding of Web security concepts such as same-origin-policy, CORS etc.
- Working knowledge of HTTP Security headers such as CSP, HSTS, X-Frame-Options, X-Content-Type, X-XSSProtection etc.
- Familiarity with common web stack technologies (e.g. HTTP, HTML5, AJAX, REST, etc.) and platforms (e.g. DropWizard, AngularJS, Tomcat, .Net, Sybase, MS SQL, MongoDB, etc.)
- Understanding of core cryptography concepts (Encryption, Hashing, HMAC, Digital signature, Random Number Generators, Key Storage, Crypto libraries etc.) and how they are applied and attacked in web applications (e.g. TLS attacks, CBC attacks).
- Participate in review calls with the developers to explain them the vulnerabilities and suggest controls.
- Experience with penetration testing tools such as BURP suite, Wireshark, Openssl, Nikto, Nmap, Zap, Echomirage, Sysinternals, Mallory etc.
- In-depth understanding of SDLC and common development models such as SCRUM etc.
- Knowledge of network, application and operating system security risks.
- MS. in Computer Science, System/Computer Engineering, Cyber-Security, or Information Security.
- Experience or trainings in related disciplines e.g. computer science, computer security, software development, system design, open source frameworks, etc.
- Familiarity with automated source code analysis tools such as Checkmarx, Fortify or Appscan is valued.
- Contributions in form of White papers, blogs, conference/chapter talks, security tools are a good add on to the Resume.
To apply for this role, either contact Olly at firstname.lastname@example.org, or fill in the form below and he will receive your application.
Apply for this role
All fields marked with * are required.