Post Thu Mar 17, 2011 7:56 pm

Web Application Penetration Tester

Large consulting firm looking to fill a variety of security positions.  Slots open in most major cities, but prefer NY, Short Hills, Philly, Tyson's Corner, Atlanta, Chicago, Detroit, Houston, Seattle, and San Francisco/Silicon Valley.  The job postings will reflect experienced hires, but I am more than willing to talk to junior folks that have the skills to hit the ground running. 

Web Application Tester
Responsibilities:
• Perform analysis and testing to verify the strengths and weaknesses of Web Applications and Web Services (SML, SOAP, WSDL, UDDI, etc)
• Perform Internet penetration testing (blackbox/whitebox testing) and code reviews (manual/automated)
• Assist with the development of remediation services for identified findings
• Develop, operate, audit, and maintain secure applications
• Identify and clearly articulate (written and verbal) findings to senior management and clients
• Help identify improvement opportunities for assigned clients
• Supervise and provide engagement management for IT staff working on assigned engagements
Qualifications:
• Bachelor’s degree in computer science or related field from an accredited college/university
• Technical background in web application development/architecture or related fields
• Two or more years of .Net, Java, Ruby, Perl, Python, or C experience
• Operating System Configuration and Security experience (HP-UX, Linux, Solaris, AIX, etc.)
• Configuration and Security experience with Web Servers and Web Applications (Apache HTTP/Tomcat, Microsoft IIS, Sun One, Oracle iPlanet, IBM WebSphere, etc.)
• Database Configuration and Security experience (MySQL, Microsoft SQL, IBM DB2, Sybase, Oracle, etc.)
• Web Service experience (XML, SOAP, WSDL, UDDI, etc)
• Experience with web application testing and development frameworks, such as the Open Web Application Security Project (OWASP)
• Experience with discovering and demonstrating web application vulnerabilities such as Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Injection Flaws, Remote file inclusion (RFI) and SQL Injection
• Commercial Application Security tools experience (AppScan, WebInspect, Acunetix, etc.)
• Web Proxy tools experience (Achilles, Burp, Spike, Paros, etc.)
• One or more of the following technical certifications: Sun Certified Java Developer® (SCJD®); Microsoft Certified Solution Developer® (MCSD®) for .NET; Certified Ethical Hacker (CEH); GIAC Certified Penetration Tester (GPEN); Offensive Security Certified Professional (OSCP); GIAC Web Application Security (GWAS);or equivalent development or testing certification (ECSA, CEPT, CPTE, CPTS, etc)
• In addition, one or more of the following governance certifications is preferred: Certified Information Systems Security Professionals® (CISSP®); Certified Information Systems Auditor® (CISA®); Certified Information Security Manager® (CISM®)
• In-depth knowledge of the security and privacy provisions of a variety of regulations and standards such as PCI, NERC/CIP, SOX, HIPAA/HITECH, FFIEC, EU Privacy Laws, ISO, and COBIT
• Track record with published content / research work in the information security field
• Strong leadership and communication skills, technical knowledge, and the ability to write at a "publication" quality level in order to communicate findings and recommendations to the client’s senior management team
CISSP, CISM, CISA, GCIH, GREM, CEH, HMFIC, KTHXBIROFLCOPTER