Lead Associate Principal – Penetration & Vulnerability Testing

Lead Associate Principal – Penetration & Vulnerability Testing

Requirements

• High energy, results driven person with an attention to detail.
• Strong enthusiasm to stay up-to-date on Threat Intelligence and learn new vulnerability and exploits on a regular basis.
• Exceptional analytical, problem solving and troubleshooting skills with the ability to exercise good judgment while developing creative solutions.
• Exceptional tactical planning skills based on long-term strategic goals.
• Exceptional verbal/written communication skills to be able to articulate ideas clearly and concisely.
• Excellent listening skills.
• Excellent focused domain areas of expertise as well as a good breadth of experience across Network/Application Penetration Testing, Web Application Penetration Testing, Mobile Application Penetration Testing, Infrastructure Development, Open Source Intelligence, and more.
• Proven due diligence and research ability via open-source avenues and technology.
• Strong familiarity with enterprise technologies; strong technical background and understanding of security-related technologies; prefer operational experience as an administrator, engineer, or developer and direct experience testing in commercial cloud environments (AWS, Azure, IaaS/PaaS/SaaS).
• Good applicable knowledge of policy and procedure development, systems analysis, Information Assurance (IA) policy, vulnerability management, and risk management.
• Good understanding of regulatory standards including CSF, NIST, PCI, SSAE 16, SAS 70, HIPPA, FIPS 199, COBIT 5 and others as needed.
• Strong knowledge of cryptography (symmetric, asymmetric, hashing) and its various applications.
• Strong knowledge of common enterprise infrastructure technology stacks and network configurations.
• Exhibit ability to understand and probe/exploit a diverse range of Network and Internet Protocols.
• Exhibit ability to understand and modify code in a diverse range of programming languages and frameworks; must have direct practical experience with one or more high level programming language.
• Ability to facilitate meetings and conversations.
• Ability to work with business users, understand their needs and translate those needs to the final project deliverables.

Responsibilities

• Assist the Security Penetration Testing Team to perform testing based on organizationally defined scope with strict adherence to the agreed-upon rules of engagement.
• Conduct various Security Penetration Testing Team activities such as: Intelligence Gathering, Network/Operating System/Application Penetration Testing, Web Application Penetration Testing, Mobile Application Testing, Cloud Security Testing, etc.
• Conduct ad-hoc white-box penetration testing work of OCC’s infrastructure that is still currently in Development, or in need of pre-Production penetration testing.
• Coordinate with IT owners to re-test and validate remediated Security Penetration Testing Team findings.
• Execute Open Source Intelligence Collection and Analysis Techniques (OSINT); leverage available resources and develop custom tools.
• Understand vulnerabilities and develop relevant exploits for use during Security Penetration Testing Team activities.
• Verify vulnerability false positives.
• Perform security risk assessment, threat analysis and threat modeling.
• Perform independent reviews of OCC’s security, network, and applications.
• Plan/Design/Execute security related activities and create artifacts.
• Stay on-time, on-budget, and within scope of testing activities.
• Develop clear detailed reports and recommendations based on concrete evidence.
• Debrief users and provide remediation strategy on findings.
• Ensure alignment of security controls in OCC’s testing program and supporting services and related policies and procedures with applicable regulations and industry standard best practices.
• Assist management with the improvement of policies and procedures to support Security Testing activities as well as other security duties which may arise.
• Participate in developing a security roadmap, adopt security best practices, and implement new ideas and innovations according to the industry trends.
• Adhere to the best practices and work for delivering secured and quality products.
• Consult with technical experts and system owners on all aspects of Information Security and Compliance.
• Work closely with Production Support staff, Incidence Response, and IT infrastructure to increase organizational security posture.
• Support OCC’s security objectives and remediation efforts relating to Security Testing.
• Supports and successfully completes Audits.
• Cross-train the other Security Penetration Testers.
• Cross-train other teams within Security Services and OCC IT departments to provide subject matter knowledge of a specific adversarial threat/risk, or to assist with remediation path recommendations.
• Participate in ‘Lessons Learned’ process to provide information to help OCC improve practices, methodologies, tools, and other technologies.
• Stay current on Threat Intelligence, emerging technology trends, and the overall threat landscape.
• Advise IT on current and emerging threats, their attack vectors, and how to mitigate them.
• Provide leadership, share knowledge and mentor team members.
• Support Security Penetration Testing Team management and activities and be a team player.
• Perform other duties as assigned.

Preferred Qualifications

• Nice to have experience working on critical infrastructure in a regulated environment.
• Strong experience with custom scripting (Python, Powershell, Bash, etc.) and process automation.
• Strong experience with database security testing (MSSQL, DB2, MySQL, etc.).
• Strong proficiency with common penetration testing tools (Kali, Metasploit, Nmap, Qualys, Nessus, Nexpose, Burp Suite, Wireshark, Recon-NG, Ettercap/Bettercap, Hashcat, Bloodhound, Sublist3r, Rubeus, Mimikatz, CrackMapExec, Exploitdb, Impacket, etc.).
• Track record of vulnerability research and CVE assignments.
• Experience with Mainframes, Windows, Unix, MacOS, Cisco, platforms and controls.
• Proficient in creating content with Microsoft Office (Word, Excel, PowerPoint, Visio).
• Proficient in basic document management in a Microsoft SharePoint environment.
• Experience with dedicated document management tools (e.g., DMS, PolicyTech) is a plus.
• Experience with using ServiceNow is a plus.