Applications Security - Network Applications/Web/Penetration Testing

NO SPONSORSHIP

Associate Principal, Application Security

SALARY: $160k - $170k plus 15% bonus

LOCATION: Chicago

Hybrid if in Chicago - 3 days onsite

For the perfect candidate it is open to remote states: IL, TX, FL, GA, MA, MD, MN, NC, NJ, NY, DC, WI

Looking for a candidate to focus on security of applications, pen testing, conduct risk assessments of the vulnerability. You will setup command and control c2 infrastructure. Network application, web application, penetration testing, automation tools.

This position works closely with other members of the Security Services, IT Development Teams, and Development teams to support application and software security initiatives, projects, and operations.

Responsibilities include:

Candidate would perform Network/Application and Web Application penetration testing. Also create custom scripts and perform automation while also perform security assessments on both legacy on prem and cloud environments. Candidate would also Identify, document and communicate vulnerabilities.

Primary Duties and Responsibilities:

• Application Security Testing
• Perform application penetration testing as part of a team.
• Perform retests of vulnerabilities to verify previous findings have been remediated.
• Review reports of the testing and conduct security risk assessment of the vulnerabilities.
• The use and maintenance of cloud and self-managed security scanning tools, manual source code reviews, and manual penetration assessments.
• Conduct code scans using automated tools and risk rate the vulnerabilities according to the organization risk profile and mitigating controls.
• Conduct IT/Security code review meetings to eliminate false positives and encourage collaboration between Security and IT development teams.
• Assist with application security vulnerability management including implementation of new vulnerability management tools.
• Setup Command & Control C2 Infrastructure.

Qualifications:

• Experience with CI/CD pipelines and software development/coding: Docker, Jenkins, GitHub, SVN, Terraform, and others.

Exceptional analytical, problem solving and troubleshooting skills with the ability to exercise good judgment while developing creative solutions.

• Network/Application Penetration Testing, Web Application Penetration Testing and more.
• Direct experience testing in commercial cloud environments (AWS, Azure, Google Cloud Platform, IaaS/PaaS/SaaS).
• Good applicable knowledge of policy and procedure development, systems analysis, Information Assurance (IA) policy, vulnerability management, and risk management
• Good understanding of regulatory standards
• Strong knowledge of cryptography
• Strong knowledge of common enterprise infrastructure technology stacks and network configurations.
• Exhibit ability to understand and probe/exploit a diverse range of Network and Internet Protocols.
• Exhibit ability to understand and modify code in a diverse range of programming languages and frameworks; must have direct practical experience with one or more high level programming languages.
• Nice to have - Experience working on critical infrastructure in a regulated environment

Technical Skills:

• Strong proficiency in network, application penetration testing
• Strong experience with custom scripting (python, C , PowerShell, bash, etc.) and process automation.
• Strong experience with database security testing (MSSQL, DB2, MySQL, etc.).
• Strong proficiency with common penetration testing tools (Kali, Armitage, Metasploit, Cobalt Strike, Nmap, Qualys, Nessus, Burp Suite, Wireshark etc.).
• Experience with Mainframes, Windows, Unix, MacOS, Cisco, platforms and controls.
• Proficient in creating content with Microsoft Office (Word, Excel, PowerPoint, Visio).
• Proficient in basic document management in a Microsoft SharePoint environment.
• Experience with dedicated document management tools (e.g., DMS, PolicyTech) a plus.
• Experience with using ServiceNow.
• Familiarity with application frameworks and their built-in security services and API s
• Knowledge of security architecture design and principles including confidentiality, integrity and availability.
• Knowledge of automated code scanning tools and development pipeline tools
• Understanding of security concepts and practices, including those for authentication, authorization, access control and auditing as well as best practices (e.g. OWASP).
• Familiarity with application authentication and authorization systems (i.e., CA SiteMinder, RSA SecurID/ACE, Active Directory, and LDAP)
• General knowledge of cryptography (symmetric and asymmetric encryption, digital signatures, message digests, certificates, PKI, SSL/TLS, etc.)
• Fundamental understanding of network and data communications technologies
• Knowledge of (AWS, Azure, Google Cloud Platform) Cloud security concepts, best practices, and environments
• Knowledge of Secure DevOps concepts

Education and/or Experience:

• BS in Computer Science, Information Management, Information Security or other comparable technical degree from an accredited college/university desired.
• 3 Years experience penetration testing.
• 5 Years experience in Information Assurance or Information Security environment.
• Experience writing scripts and working with containers in a CI/CD pipeline
• Exposure to security architecture design through application development or knowledge of security concepts/best practices
• Previous work in development, architecture or quality assurance testing may be applicable to the position requirements.

Certificates or Licenses:

• Security-related certifications (CISSP, CISA, CRISK, ISSAP, GSLC, OSCP, OSCE, GPEN, or GXPN, etc.) highly desired.
• Professional network and/or security certifications a plus (i.e., GIAC, CISSP, CISA, CISM, CRISC)
• Cloud security automation certifications a plus (i.e. GCSA)
• Penetration testing certifications a plus (i.e. OSCP, GWAPT)