The Web Application Penetration Tester role will sit in the Cyber Security Defence function. his function is responsible for all aspects of threat intelligence and monitoring, application and network security, and insider threat. In addition, the CSD team drives out the enterprise-wide cyber exercise program.
What will your responsibilities include?
Conduct application security/penetration tests of internal/external web, mobile and web service applications
Leveraging both manual techniques as well as automated tools in order to uncover and report security vulnerabilities that exist
Communicate security vulnerabilities to application developers and/or senior managers who may have little to no experience with application security vulnerabilities
What skills will you possess?
Experience conducting vulnerability assessments, code reviews and penetration tests against web/mobile application technologies, services, platforms and languages to find flaws and exploits (e.g. SQL Injection, Cross-Site Scripting, Cross-Site Request Forgery, Clickjacking, Authentication/Authorization, Privilege Escalation, Business Logic Bypass, OWASP Top 10, SANS Top 25 etc)
Knowledge of network and Web related protocols/technologies
Ability to demonstrate manual web application testing experience
Experience with web application vulnerability scanning tools (e.g. IBM AppScan, HP Webinspect, Acunetix, NTO Spider, Burpsuite Pro, Seeker etc.)
Experience with vulnerability assessment tools and penetration testing techniques (e.g. web application proxies, packet capture analysis software, browser extensions, advanced penetration testing Linux distributions, static source code analyzers, SoapUI etc.)
Experience of penetration testing on mobile platforms such as iOS, Android, Windows and RIM would be advantageous
Technical knowledge in at least 3 of the following areas: general information security; security engineering; application architecture; authentication and security protocols; application session management; applied cryptography; common communication protocols; mobile frameworks, single sign-on technologies; exploit automation platforms; RESTful web services
Demonstrated ability to learn and apply critical thinking to a variety of situations
One or more of the following certifications: OSCP, CISSO, GWAPT, CEH (or qualified work experience)
Experience as a developer
Mobile programming abilities such as Xcode, Objective-C
Knowledge of a Structured Query Language