As a Lead Penetration Tester you will perform security testing of IBM product and SAAS offerings in development and production environment. You will also closely work with IBM product development teams to strengthen the security posture of their products by participating in threat model, source code security testing and share best practices / lessons learnt for secure coding/design. You will also be involved in mentoring other team members in the same.
Job Roles and Responsibilities:
- Planning and scheduling the penetration tests.
- Reviewing the findings of the pentest and mentoring other teammates.
- Carry out application, network, systems and infrastructure penetration tests
- Review physical security and perform social engineering tests where appropriate
- Evaluate and select from a range of penetration testing tools
- Keep up to date with latest testing and ethical hacking methods
- Deploy the testing methodology and collect data
- Report on findings to a range of stakeholders
- Make suggestions for security improvements
- Enhance existing methodology material
- 7+ Years of Relevant Experience
- Web Application Penetration Testing
- Network Penetration Testing
- Understanding of Cloud Security Services
- Web Services Penetration Testing
- Understanding of Docker, Kubernetes & Clusters
- Web Application Testing – Basic understanding of HTTP Protocol
- HTTP Methods, Request/Response Headers, Cookies, TCP/IP connections over HTTP etc..
- Good Understanding of security vulnerabilities. OWASP Top 10 vulnerabilities
- Must have knowledge of at least one of IBM AppScan OR BurpSuite scanner. (Good to have knowledge of both the tools.)
- Should be able to configure automated scanner (such as Login sequence, Manually exploring critical flaws, Policy customization, scan throttling, etc…) to perform successful scan.
- Assessment of scanner results and intelligently identifying false positives from the scan results
- Knowledge of Burp features mainly, Spider, Intruder, Scanner, Repeater and Extender
- Should be able to understand the above mentioned OWASP Top 10 categories to perform manual testing.
- Flaws like, Authentication (session management) testing, CSRF, business logic testing which are not detected by an automated scanner must be identified using manual testing.
- Understanding of the workflow of the application and identifying the entry points to detect possible vulnerabilities.
- Webservice Testing
- SOAP/REST APIs testing. Configuring cURL commands and POSTMAN tool to capture the request in automated scanner.
- Network Testing
- Security Certifications
- Any of the security certifications such as CEH, ECSA, OSCP, GPEN, GWAPT, eWPT,eWPTX etc.