As pentesting expert
, you will help EPAM's clients to assess the security level of their infrastructure, web and/or mobile applications. This position will require advanced technical depth and experience, technical leadership, and multi-faceted communication skills. Scope and tasks may vary depending on the customer needs. You may be involved in the full project lifecycle from analysis and planning to development and deployment, as well as assisting with pre-sales opportunities, delivering trainings on pentesting and different pentesting tools. Along with this, you may be engaged to perform short-term pentests requiring to act like an insider (internal penetration test) or external penetration test, in which you will simulate an attack via the Internet.
Both engagement types may require either penetration testing or vulnerability assessment.
- Scoping and estimating tasks, as well as managing multiple tasks with minimal supervision.
- Demonstrate proven knowledge while interacting with clients and stakeholders to understand and document requirements to
- build profile of business functions of the target
- create accurate threat model of the target
- define goal of security assessment
- Demonstrates considerable knowledge of planning and team management specific to security assessment
- Conduct vulnerability assessments and penetration testing
- Collaborate with technical personnel across the full assessment life cycle
- Utilize problem solving, especially within troubleshooting complex issues while identifying options and/or alternatives
- Document all disclosed issues adopting to different reporting formats
- Provide remediation suggestions to correct disclosed issues
- Collaborate with personnel responsible for writing and presenting proposals to prospective clients
- Manage and contribute to planning, engagement administration, budget management, and successful completion of engagement.
- Certification in security field. (OSCP certification is a plus. OSCE is highly appreciated)
- 2 years penetration testing experience of network, web and mobile applications
- Understanding and practical experience in security audit process, security standards(ISO, PCI DSS, HIPPA) and methodologies (OSSTM, OWASP, PTES)
- Ability to perform evaluation of application requirements, processes, technologies
- Ability to select, educate and communicate the right solution based on client requirements and objectives
- Experience with different exploitation tools and frameworks (Metasploit, BeeF, sqlmap, etc)
- Experience with different vulnerability scanners (Acunetix, Nessus, nmap, etc)
- Ability to resolve technical problems when required.
- Ability to develop custom scripts needed for specific assessment purposes (Python, bash, PowerShell)
- Ability to explain assessment results to technical and non-technical personnel
- Solid experience in development of security-related documentation
- Ability to develop, implement and guide security assessments' process on the project
- Experience in security testing of Web Applications based on different technologies(.Net, Java, PHP)
- Experience in security testing of Web Services (SOAP, RESTful)
- Experience in security testing of Mobile Applications (iOS, Android, Windows Mobile)
- Experience in network security testing (Windows, *nix-based)