Sr. Penetration Tester and Vulnerability Analyst - Active Secret Clearance Required

Employer
ASD, Inc.
Location
Arlington, VA
Posted
Jul 21, 2019
Closes
Jul 23, 2019
Ref
222521674
Function
Analyst
Hours
Full Time
Please Note This position requires an Active Secret Clearance. This role is a 6 month contract to hire role, where you will convert to our client's payroll sometime after 6 months. Job Description We are seeking a Sr. Penetration Tester to provide Cloud Penetration testing and Vulnerability Analysis support to a cabinet level federal agency. You will contributes to a team of information assurance professionals working to improve the clients technical security posture. Duties include planning and conducting penetration tests, writing reports, briefing event details to leadership, and coordinating remediation with personnel throughout the globe. Responsibilities Performs cloud and network penetration testing, application testing, source code reviews, threat analysis, and social-engineering assessments Briefs executive summary and findings to stakeholders to include Sr. Leadership Have an understanding of how to create unique exploit code, bypass AV and mimic adversarial threats. Assesses the current state of the customer s system security by identifying all vulnerabilities and security measures. Helps customer perform analysis and mitigation of security vulnerabilities. Researches and maintains proficiency in tools, techniques, countermeasures, and trends in computer network vulnerabilities, data hiding and network security and encryption. Provide support to incident response teams through capability enhancement and reporting. Mentor Jr and Mid staff members by creating and teaching latest techniques in ethical hacking and vulnerability analysis. Frequently Asked Questions What is the mission of the program? Red Cell s mission is to improve the security posture of DoS networks by performing targeted engagements of key DoS systems, technologies, capabilities, and resources. To effectively communicate the severity of vulnerabilities to data owners and DoS management, both penetration tests and red team engagements go beyond the standard services provided by a vulnerability assessment. During engagements, Red Cell provides a proof of concept for exploitation of vulnerabilities by emulating DoS adversaries. Red Cell may, in much the same way a malicious actor would, actively exploit identified vulnerabilities. Red Cell identifies risk to the DoS primarily by performing these engagements. This information prompts the mitigation of such risk before it is used to harm DoS, the national security of the United States, or the safety of its citizens. Through the demonstration of the potential risk of unmitigated vulnerabilities to the Department, without negatively affecting national security as a malicious actor would, Red Cell provides real world results to stakeholders and DoS management to implement appropriate security controls. In addition, vulnerability assessments and specific application assessments conducted outside of the scope of a full penetration test or red team engagement round out Red Cell s capabilities and provide for more versatility in conducting the mission. What will a typical work day look like for the Contract Labor Associate (CLA)? Is this a team setting? Core hours are 9-3, with flexibility to arrive earlier or later to make a full 8 hours. Some flexibility in schedule is allowed with prior approval of the Government lead. Remote work is not currently authorized on this contract. The team is very collaborative and coordination and teamwork is highly encouraged. What are the top three skillsets the candidate should have? Performs cloud and network penetration testing, application testing, source code reviews, threat analysis, and social-engineering assessments Have an understanding of how to create unique exploit code, bypass AV and mimic adversarial threats. Researches and maintains proficiency in tools, techniques, countermeasures, and trends in computer network vulnerabilities, data hiding and network security and encryption. What is the interview process (phone then in-person or only phone, etc.)? In general our hiring process starts with a phone interview, approximately 15-30 minutes long. If the candidate seems like a good fit for the team they are brought in for a face-to-face interview that consists of a 15 minute QA and an approximately 45 minute hands-on practical exercise to test the candidates problem solving skills and familiarity with our tool-set. Education A Bachelor s degree in Computer Science, Information Systems, Engineering, Telecommunications, or similar field required. Master s degree preferred Qualifications Must possess six (6) years of substantive IT knowledge and demonstrate hands-on expertise andor training in areas of emerging cloud and mobile technologies. The focus of this position is on testing the security and implementation of GOV-Cloud systems (Amazon AWS, Google Cloud, and Microsoft Azure and O365, among others), assessing the risks inherent in a cloud implementation, and how that impacts the traditional on premises existing architecture. The candidate must also have hands-on experience and expertise with ethical hacking, traditional penetration testing techniques, secure coding practices and threat modeling. Be a self-starter with, keen analytical skills, curiosity, agility, and adaptability. The ability to work quickly, willingness to work on ad hoc assignments, work independently as needed, strong written and verbal communication skills, and recognizing the importance of being a team player. Required Qualifications Able to conduct Penetration Tests and Vulnerability Analysis using Automated and Manual TTPs. Have experience with common cloud implementations and their vulnerabilities Web Application vulnerabilities like SQLi, XSS, CSRF, and HTTP Flooding. Must be able to use at least two of the following proficiently and instruct others on them Nessus, Burp, Metasploit FrameworkPro, and the Social Engineering Toolkit. Must have solid working experience and knowledge of Windows and UnixLinux operating system Firm understanding of network and system architecture and analysis. Fundamentals of network routing switching, assessing network device configurations, and operating systems (Windowsnix) Scripting (Windowsnix), Bash, Python, Perl or Ruby, Systems Programming Strong familiarity with at least one of the following OWASP top 10, PTES and NIST 800-53. Must be able to work alone or in a small group. Preferred Qualifications OSCP, GIAC GPEN, GWAPT or other Penetration Testing certifications CISSP Certified Ethical Hacker

Similar jobs