Senior Penetration Tester
POSITION SUMMARY:
CODICE seeks a highly skilled Senior Penetration Tester to join our cybersecurity team. This role is crucial in ensuring the security and compliance of our systems through regular and ad-hoc penetration testing. The ideal candidate will be an expert in building and executing vulnerability assessment and penetration testing programs, with specific expertise in Ruby and the Ruby on Rails framework. This position reports to the Chief Information Security Officer (CISO) and plays a vital role in maintaining our organization's security posture.
ESSENTIAL FUNCTIONS
Duties and Responsibilities
Conduct regular and ad-hoc penetration tests on our systems, networks, and applications to identify security vulnerabilities and weaknesses.
Design, build, and maintain a comprehensive vulnerability assessment and penetration testing program.
Perform in-depth security assessments of Ruby on Rails applications, leveraging expert knowledge of the framework and its security implications.
Utilize a wide range of penetration testing tools and techniques to simulate real-world attacks and identify potential security breaches.
Analyze test results and provide detailed reports on findings, including severity assessments and remediation recommendations.
Work closely with development and operations teams to explain vulnerabilities and assist in implementing effective security controls.
Conduct security assessments of cloud environments, particularly AWS, addressing their specific security challenges.
Develop and maintain custom scripts and tools to enhance and automate the penetration testing process.
Stay current with the latest security threats, vulnerabilities, and exploitation techniques.
Participate in the development and improvement of security policies, standards, and best practices.
Provide expert guidance on secure coding practices, particularly for Ruby and Ruby on Rails applications.
Collaborate with the CISO and other security team members to continuously improve the organization's overall security posture.
Conduct post-exploitation analysis to determine the potential impact of identified vulnerabilities.
Assist in incident response activities when necessary, leveraging penetration testing skills to understand and mitigate threats
Knowledge, Skills and Abilities
Technical Skills
Programming Languages
Demonstrated proficiency in:
Python: Ability to write complex scripts for automation and exploitation
Ruby: Expert-level knowledge, including in-depth understanding of Ruby on Rails framework and its security implications
Perl: Familiarity with Perl scripting for text processing and system administration tasks
C: Understanding of low-level programming and memory management
C++: Knowledge of object-oriented programming and its application in security testing
Scripting Skills
Demonstrated expertise in:
Bash: Ability to create advanced shell scripts for automation and system interaction
PowerShell: Proficiency in writing scripts for Windows environment penetration testing
JavaScript: Capability to analyze and exploit client-side vulnerabilities
Operating Systems
Demonstrated expert knowledge of:
Windows: In-depth understanding of Windows architecture, services, and security mechanisms
Linux: Proficiency in various distributions, command-line operations, and system administration
Unix: Familiarity with Unix-based systems and their specific security considerations
Network Protocols
Demonstrated expert understanding of:
TCP/IP: Comprehensive knowledge of the TCP/IP stack and related protocols
UDP: Understanding of stateless communication and its security implications
DNS: Familiarity with DNS structure, record types, and common attack vectors
HTTP/S: In-depth knowledge of web protocols, including headers, methods, and secure communication
FTP: Understanding of file transfer protocols and associated vulnerabilities
SMTP: Familiarity with email protocols and related security issues
Penetration Testing Tools
Demonstrated proficiency with:
Metasploit: Advanced usage for exploitation and post-exploitation activities
Burp Suite: Expert-level use for web application security testing
Nmap: Proficiency in network discovery and security auditing
Wireshark: Advanced packet analysis and network traffic inspection
Nessus: Skill in vulnerability scanning and assessment
OpenVAS: Familiarity with open-source vulnerability scanning
Vulnerability Identification and Exploitation
Demonstrated expertise in:
SQL Injection: Advanced techniques for identifying and exploiting database vulnerabilities
Cross-Site Scripting (XSS): Proficiency in detecting and exploiting various types of XSS
Cross-Site Request Forgery (CSRF): Understanding of CSRF mechanics and exploitation
Buffer Overflows: Knowledge of memory corruption vulnerabilities and exploitation techniques
Demonstrated knowledge of
Advanced Exploitation Techniques: Familiarity with privilege escalation, pivoting, and lateral movement
Post-Exploitation Methodologies: Understanding of maintaining access, data exfiltration, and covering tracks
Cloud Security
Demonstrated expertise with:
AWS: In-depth knowledge of AWS services and their security implications
Cloud-Specific Security Challenges: Understanding of shared responsibility models, misconfigurations, and cloud-native vulnerabilities
Proficiency in:
Cloud Security Tools: Experience with tools designed for cloud environment penetration testing
Cloud Penetration Testing Techniques: Familiarity with methodologies specific to cloud infrastructure testing
Web Application Security Skills and Experience
Web Application Vulnerabilities
Demonstrated expertise of:
OWASP Top Ten: Comprehensive understanding of the most critical web application security risks
Other Common Vulnerabilities: Familiarity with issues like insecure deserialization, XML external entities (XXE), server-side request forgery (SSRF)
Web Application and API Testing
Demonstrated expertise in:
Manual Testing Techniques: Proficiency in hands-on discovery and exploitation of web vulnerabilities
Automated Testing Tools: Experience with web application scanners and API testing tools
API Security: Understanding of REST, SOAP, and GraphQL API vulnerabilities and testing methodologies
Secure Coding Practices
In-depth understanding of secure coding principles, particularly in Ruby on Rails applications
Ability to provide actionable recommendations for remediating identified vulnerabilities
QUALIFICATIONS
Required Education:
Bachelor’s degree in computer science, Information Technology, Cybersecurity, or a related field.
Required Experience:
Minimum of 8 years of experience in penetration testing and ethical hacking
Proven track record of successful penetration tests and vulnerability assessments
Strong analytical and problem-solving skills
Excellent written and verbal communication skills
Ability to explain complex technical concepts to both technical and non-technical stakeholders
Self-motivated with a passion for continuous learning in cybersecurity
Strong ethical standards and integrity
Ability to work independently and as part of a team in a fast-paced environment
Familiarity with compliance standards (e.g., PCI DSS, HIPAA, SOC 2)
Understanding of risk assessment methodologies
Experience with writing detailed, actionable penetration testing reports
Knowledge of secure development practices and SDLC integration
Required Licensure/ Certification:
Relevant industry certifications such as:
Offensive Security Certified Professional (OSCP)
Certified Ethical Hacker (CEH)
GIAC Penetration Tester (GPEN)
Other equivalent certifications demonstrating advanced penetration testing skills
Preferred Education:
Master’s degree in computer science, Information Technology, or a related field