Snr Exec, Offensive Engg

Key Responsibilities

• Coordinate with external vendors to conduct application security/penetration tests of Income internal/external web, mobile and web service applications, leveraging both manual techniques as well as automated tools in order to uncover and report security vulnerabilities that exist and liaising with systems & applications owners on follow up actions.
• Perform vulnerability scanning/discovery, tracking of remediation SLA and vulnerability fix verification in support of the remediation
• Plan and scope the internal Red Teaming program to conduct red teaming exercises and execute adversarial simulations mimicking real-world threat actors (APTs, insider threats, etc.) against Income environment using tools and manual techniques.
• Conduct compliance audit on Income Systems and Devices hardening standards.
• Perform risk assessment and recommend mitigations on vulnerability findings when remediation is not possible.
• Administer security tools and service providers.
• Support the running of bug bounty and vulnerability disclosure programs.
• Conduct meetings to communicate the findings and implications to stakeholders and track remediation status and outcomes.
• Undertake other projects and tasks that may be assigned by management.

Qualifications

• Bachelor's Degree with more than 5 years of experience in technology, information or cyber risk management, information security or enterprise architecture.
• Minimum of three years years of experience in offensive security (Red Teaming, Penetration Testing, or related fields).
• Minimum of two years direct information security experience in penetration testing, vulnerability assessment, threat hunting, red teaming or similar roles.
• Strong background in application development, web application technologies and architectures, application security testing or vulnerability assessment.
• Familiar with penetration testing steps, methods, procedures, and excellent in using penetration testing tools.
• Familiar with attack techniques and methods, common security vulnerabilities and threats of network and application systems, and competent in identifying and evaluating these vulnerabilities and threats with existing tools.
• Equipped with programming skills in Java, .NET or Python.
• Relevant industry certifications such as CEH, OSCP, OSCE, GPEN, GWAPT, CREST CRT certifications is preferred.

Competencies

• Hands-on experience on vulnerability assessment tools (Preferably Tenable and others such as Qualys, Rapid7).
• Working knowledge on industry standard scoring models such as CVSS.
• Working knowledge on SAST, DAST, IAST, SCA and DevSecOps.
• Familiarity with penetration testing techniques (eg web application proxies, packet capture analysis software, browser extensions, penetration testing Linux distributions, static source code analyzers, SoapUI, etc).
• Good understanding of adversary tactics, techniques, and procedures (TTPs), such as those outlined by MITRE ATT&CK.
• Good understanding of offensive security tools (e.g., Cobalt Strike, Metasploit, Burp Suite, BloodHound, Mimikatz).
• Good written skills and able to effectively communicate security and risk-related concepts to technical and non-technical audiences.
• Work well under pressure and demonstrate the ability to meet tight deadlines.
• Able to work independently and in a team-oriented, collaborative environment.