Sirius Computer Solutions Security Consultant - Application Penetration Tester in Jefferson City, Missouri
The Security Consultant - Application Penetration Tester is responsible for providing application penetration testing. The Security Consultant will perform project execution and report preparation activities and findings in support of a client engagement. The Security Consultant will provide expertise in support of the sales organization and be expected to contribute to practice development by way of process improvements and assistance with new offering development.
Primary Duties & Responsibilities
• Conduct penetration testing of web and mobile applications. Candidate should be able to perform manual exploitation of identified vulnerabilities
• Ability to recognize, explain, document and report vulnerabilities and exploits, describing remediation activities, with the ability to effectively communicate the results, in both technical and layman terms, to the appropriate audience.
• Provide sales team with technical and security expertise in support of business development activities. Participate in sales calls, helps scope projects, provides pricing estimates and creates pre and post sales documentation.
• Receive work assignments and timelines from the Practice Lead. Expected to maintain routine cadence with the assigned Project Manager to ensure all interested stakeholders are up-to-date regarding activities and project status.
• Provide clients with consulting services during a contracted engagement. Work within area(s) of expertise (e.g., penetration testing, social engineering testing, framework compliance, etc.).
• Review all findings and recommendations and work with assessment team to determine appropriate actions.
• Understand and identify business processes specific to the client's environment and the appropriate risk management practices. Make recommendations for improvement of processes and controls.
• Create and present clients with reports detailing methodology, findings, recommendations and remediation activities to increase security within the target environment
• Perform other duties as assigned by your manager or practice lead
Basic Qualifications -
• Bachelor’s Degree in Telecommunications, Engineering, Information Assurance/Security, Computer Science, Management Information Systems, or a related field
• 3+ years of consulting and technical experience in one or more of the following: web application penetration testing, secure software development, and code review.
• Must have a demonstrated technical background and understand secure software development, patch and configuration management, and database systems.
Other Position Requirements -
• Ability to think creatively when dealing with complex situations and attempting to manipulate and break applications
• Demonstrated understanding of the OWASP top 10 and experience in discovering, verifying, and exploiting these vulnerabilities.
• Demonstrated knowledge of and ability to create Proof-of-Concept exploits for the following vulnerabilities:
o XML External Entity (XXE) Processing
o Cross Site Scripting (XXS)
o Injection style vulnerabilities such as SQL Injection (SQLi)
• Ability to discuss vectors for sensitive data exposure within various web applications frameworks
• Must be proficient with BurpSuite Professional
• Demonstrated knowledge of Page Controller and Model View Controller design/architecture and the difference in approach required for testing
• Demonstrated knowledge of the common approaches to remediating the OWASP top 10
• Demonstrated knowledge of the OWASP Application Security Verification Standards (ASVS)
• A working knowledge of SSDLC best practices
• Experience with programming or scripting languages such as Python, Powershell, Bash, Ruby, Java, XML, SOAP, JSON, AJAX, etc.
• Ability to create project reports to convey complex, technical information clients can understand
• Demonstrated communication and presentation skills, to include the ability to effectively work with clients in a consulting environment
• The ability to work independently with minimal oversight
• Demonstrated ability to manage multiple projects and timelines
• Demonstrated ability to perform technical skills/knowledge transfer to client
• Experience as a developer and proficiency with .NET or Java
• A demonstrated understanding of Web Application development
• Significant experience in development program creation and refinement
• Experience with secure coding best practices in .NET or Java
• Experience performing Secure Code Reviews
• Experience or willingness to perform public speaking
• Offensive Security Web Expert (OSWE) Certification
• Offensive Security Certified Professional (OSCP) Certification
• Offensive Security Certified Expert (OSCE) Certification
• GIAC Exploit Researcher and Advanced Penetration Tester (GXPN) certification
• GIAC Penetration Tester (GPEN) Certification
• GIAC Web Application Penetration Tester (GWAPT) Certification
• ISC2 Certified Information Systems Security Professional (CISSP)
• Knowledge of emerging security technologies, software, and methodologies
Data Privacy and Security:
• All Sirius employees are responsible to safeguard the information and information systems that they use or handle in the execution of their duties. Employees are obligated to know and perform their duties in accordance with Sirius policies, standards, and procedures related to security and report security violations to the appropriate Sirius authority.
• Participate at hire and annually in the Information Security Awareness training as well as other required training identified by the Human Resources department. Other data privacy and data security related regulatory training may be required based on your role or assignment.
The position exists to provide technical consulting solutions to customers and as such requires the ability to travel to and from customer sites and interact with customers on an ongoing and regular basis.
The above primary duties, responsibilities, and position requirements are not all inclusive.
Sirius is an equal opportunity employer that values diversity. As a government contractor, Sirius takes affirmative action to employ and advance in employment qualified women, minorities, individuals with disabilities, and protected veterans; maintains a drug-free workplace; and participates in E-Verify.
Individuals who receive job offers will be required to complete pre-employment screening that includes a background check verifying name, residences, education, work experience, and criminal convictions consistent with the Fair Credit Reporting Act; and a drug test for controlled substances consistent with the Drug-Free Workplace Act and the Americans with Disabilities Act.
Sirius will not sponsor work eligibility for this position.