Technology Risk Advisory – Pentester Application Security Associate

A leading global financial institution and services company, providing a broad range of innovation and collaborative solutions for cultivating environments and driving technology focused applications, resources and products in digitizing workflows and new strategies for their markets and clients. 

Position Description:

Led by the Chief Information Security Officer (CISO), Technology Risk secures our clients against hackers and other cyber threats. We are responsible for detecting and preventing attempted cyber intrusions against the firm, helping the firm develop more secure applications and infrastructure, developing software in support of our efforts, measuring cybersecurity risk, and designing and driving implementation of cybersecurity controls. The team has global presence across the Americas, APAC, India and EMEA. Within Technology Risk, Advisory is the consultative and technology subject matter expertise arm, responsible for assessing new technology initiatives for risk, partnering with engineers to architect and design secure products and services, embedding implementation reviews as part of the SDLC and CI/CD pipeline via code analysis and penetration testing, and guiding technology innovation in terms of security and control across the business. The team plays a critical role in designing and assessing controls for our transition to building native public cloud applications.

Key Roles and Responsibilities: 

• In this role, you will be performing application penetration testing, application and IAC code reviews, educating development teams on secure coding practices, and evaluating system designs for potential weaknesses
• The ideal candidate should have 3+ years of prior experience performing either pentest, code reviews or cloud security assessments
• Perform pentest of web applications, APIs, mobile applications and thick client applications on-prem and in the cloud
• Review application code e.g. Java and Infrastructure code e.g. Terraform
• Perform manual and automated configuration review of Cloud services
• Leverage SAST and DAST tools and weed out false positives
• Conduct read out calls with the business to articulate risk and recommend a mitigation strategy
• Develop secure architecture design patterns

Functional Background & Experience:

• Experience in application vulnerability assessment and penetration testing of web applications, thick-client, APIS or mobile applications (iOS and Android).
• Understanding of common vulnerabilities plaguing web and mobile applications such as XXS, XSRF, SSRF, Clickjacking, HTTP Response Splitting, XXE etc.
• Assess the security of REST and SOAP based web services deployed on-prem or in the cloud.
• Expert knowledge of security risks related to web, mobile, web services, and client/server architectures.
• Experience in analyzing and decomposing application architectures to identify security gaps.
• ·Working knowledge of application security tools such as Fuzzers, Scanners, Debuggers, De-compilers, Proxy tools, Simulators, Browser security add-ons, SSL tools, Password crackers, etc.
• Understanding of Web security concepts such as Same-origin-policy, CORS etc.
• Working knowledge of HTTP Security headers such as CSP, HSTS, X-Frame-Options, X-Content-Type, X-XSS-Protection etc.
• Ability in identifying bugs/flaws in application programming languages such as Java, JavaScript, C++, C#, Python, Perl, optionally Objective-C, etc.
• Familiarity with common web stack technologies (e.g. HTTP, HTML5, AJAX, REST, etc.) and platforms (e.g. DropWizard, AngularJS, Tomcat, .Net, Sybase, MS SQL, MongoDB, etc.)
• Understanding of core cryptography concepts (Encryption, Hashing, HMAC, Digital signature, Random Number Generators, Key Storage, Crypto libraries etc.) and how they are applied and attacked in web applications (e.g. TLS attacks, CBC attacks).
• Proficient verbal and written communication skills.
• Participate in review calls with the developers to explain the vulnerabilities and suggest controls.
• Experience with penetration testing tools such as BURP suite, Wireshark, Openssl, Nikto, Nmap, Zap, Echomirage, Sysinternals, Mallory etc.
• In-depth understanding of SDLC and common development models such as SCRUM etc.
• Experience in crafting custom proof of concept application exploits using testing tools/frameworks or scripting exploits in Python, Perl, JavaScript, Shell scripting, etc.
• Knowledge of network, application and operating system security risks.
• MS. in Computer Science, System/Computer Engineering, Cyber-Security, or Information Security.
• Experience or trainings in related disciplines e.g. computer science, computer security, software development, system design, open source frameworks, encryption schemes, etc.
• Development experience in major languages such as Java, C#, Python is a plus.
• Familiarity with automated source code analysis tools such as Checkmarx, Fortify or Appscan is valued.
• Contributions in form of White papers, blogs, conference/chapter talks, security tools are a good add on to the Resume.
• Familiarity with common cloud services, recommended security best practices and secure deployment patterns. AWS is preferred.