Job Description :
Job Duties:
· Review the implementation of forms used in browser-based/Web applications and perform
input-poisoning attacks
. Conduct web application and code testing for all systems and applications, and open source
dependencies, providing analysis and risk assessments for vulnerabilities discovered
. Utilize code analysis and fuzzing tools that are furnished or approved by the Federal Agency
to assess the quality and security of source code
. Conduct code reviews for all code changes for a given application release, providing both a
detailed risk analysis of the security posture of the code and technical programming solutions
(secure coding standards) to the developers to mitigate insecure code from being
implemented
· Review session management controls to ensure that browser-based/Web applications
maintain distinct user sessions
· Attempt to subvert applications and database security controls
· Evaluate secure socket layer (SSL) implementation and configuration
· Test susceptibility to SQL injections
· Test susceptibility to other input poisoning
· Create a process of testing Federal Systems, Network or Web application to find
vulnerabilities.
· Provide reports as needed to the Federal Agency based on testing.
· Support all aspects of PEN testing as assigned by the Federal Agency.
· Be flexible to support multiple PEN engagements as needed.
· Working with engineering and QA teams to build tools and scale security in a continuous
deployment environment
· Assessing the security of applications, APIs and platforms via penetration testing and code
reviews
· Conduct testing in accordance with the following Federal standards, and Industry best
practices:
o National Institute of Standards and Technology (NIST) Technical Guide to Information
Security Testing and Assessment SP800-15
o Information Systems Security and Privacy Policy (IS2P2)
o Acceptable Risk Safeguards
o Open Web Application Security Project (OWASP)
Skills & Requirements:
· 8-10+ years of security related experience and background
· Strong knowledge to perform below test:
o Penetration testing
o Vulnerability Assessment/Scanning
o Malicious Software Analysis
· Strong foundation in one or more of the following:
o Data management security
o Authentication
o Network & Cloud security
o Strong engineering background preferred
o Application architecture experience preferred
o Strong technical acumen securing software and hardware
· A Bachelor’s degree or higher in Computer Science, Electrical Engineering, Information
Assurance, Network Security Computer Engineering or related field, or equivalent
experience
· Experience with Nessus/AppScan/Burp Suite in a complex network environment will be
preferred
· Demonstrated ability of exploit and mitigate application-level vulnerabilities