The senior security engineer is a fully qualified individual contributor with expert knowledge of information security services/analysis concepts, penetration techniques, methodologies, and procedures. The engineer will be expected to work on the most complex assignments and perform a comprehensive range of information security services operations activities.
- Find security vulnerabilities in target systems, networks, and applications in order to help enterprises improve their security by identifying which flaws can be exploited to cause business risk.
- Conduct network and application penetration testing for exploitation opportunities.
- Conduct vulnerability research and analysis.
- Exploit common vulnerabilities and misconfigurations associated with common operating systems (Windows, Linux, etc.), protocols (HTTP, FTP, etc.), and network security services (PKI, HTTPS, etc.) for gaining access to systems.
- Identify tactics, techniques, and procedures (TTPs) for intrusion sets and emulation of cyber adversaries.
- Develop, refine and utilize tools, techniques and procedures to conduct red team exercises.
- Use commercial and open source network cyber assessment tools (e.g. Core, Qualys, Nmap, Metasploit, Nessus, AppSpider).
- Use advanced software applications for network monitoring, and forensics, malware and vulnerability analysis.
- Provide crucial insights into the most pressing issues and suggest how to prioritize security resources.
- Identify security metrics delivery and improvements.
- Create recommendations of threat mitigations.
- Produce high quality testing reports.
- Minimum six years’ information security technical experience
- Minimum Certified Ethical Hacker (CEH) certification
- Experience creating test plans for cybersecurity penetration testing during developmental testing (DT) and operational testing (OT) and executing DT and OT plans to discover in-depth vulnerabilities and usable exploitations in a system and/or organization
- Experience in conducting vulnerability/compliance assessments
- Experience in web application penetration testing activities which include: discovery, vulnerability testing and exploitation
- A solid understanding of web servers, middleware, database server components
- Experience developing web applications a plus
- Working knowledge of tools such as AppScan, WebInspect, Arachni, w3af, Burp, fuzzers, etc.
- Familiarity with OWASP testing guidelines
- Understanding of Secure Development Life Cycle (SDLC)
- Ability to perform manual testing, SQL injection, and parameter manipulation
- Possess understanding of Microsoft Office and various Microsoft/UNIX/LINUX systems
- Understand and be well versed in common cyber threat terminology, vulnerability and penetration test principles and methodologies, possess basic knowledge of cyber incident and response, and related current events
- Six or more years of professional experience
Social engineering experience is a plus
Possess a number of technical certifications from the following list:
- Offensive Security Certified Professional (OSCP)
- Web Application Penetration Engineer (WAPT)
- GIAC Web Application Penetration Engineer (GWAPT)
- GIAC Penetration Engineer (GPEN)
- (ISC)² Certified Information Systems Security Professional (CISSP)
- Cisco Certified Network Associate (CCNA)