Job Description

Responsibilities:

• Experience in conducting manual Vulnerability Assessments & Penetration Testing of the following:
• Web Applications and APIs hosted in on-premises infrastructure.
• Web Applications and APIs hosted in cloud environment and using AWS services such as S3 bucket, EC2 instances, Lambda functions, API Gateway, SNS etc.
• Thick Client/ Desktop Applications using re-engineering techniques via tools like Echo Mirage, IDAPro, CFF Explorer, Dnspy, MS sys-internals, Wireshark, dotpeek, ghidra.
• Think innovatively and out-of-the-box to identify techniques to exploit the vulnerabilities in our apps thereby bypassing the security controls that have been implemented. Should be able to generate impactful POC's of the vulnerabilities identified during the testing.
• Stay up to date with the latest application security vulnerabilities, and attack techniques and leverage those to identify similar vulns in the enterprise applications.
• Install, configure, use, and maintain the security tools that are being used for security testing of the applications.
• Meet with application team to collect information and determine scope of testing. Work closely with the application team to troubleshoot issues that impact testing (as required)
• Assess the risk levels of the identified vulnerabilities appropriately using CVSS scoring mechanism and do detailed documentation of the identified vulnerabilities, in a timely manner.
• Meet with the application teams to discuss the identified security vulnerabilities with them and provide guidance to the application teams to be able to remediate the identified security vulnerabilities.
• Retest application updates or deployed remediation logic to verify resolution of security vulnerabilities.
• Excellent communication and documentation skills to be able to write reports, update existing documentation etc.
• Ability to work independently and as part of a team. Should be able to mentor, guide and help the peers and/ or junior team members to learn and use new attack techniques during the security testing.

Qualifications:

• 7-9 Years of experience in conducting security testing of Web Application, Web API, Thick Client apps, mobile apps, AWS services, ideally in Finance Domain.
• Experience in using Web/API testing tools - Burp Suite, Postman, OWASP ZAP etc. Hands-on experience in using toolset on Kali and use it for performing advanced security testing of apps
• Sound knowledge of common web application security vulnerabilities (OWASP Top Ten, SANS Top 25, etc.) and programming patterns that lead to them, as well as remediation techniques.
• Experience in using Cloud posture security management tools such as Prisma, Wiz(preferred) etc

Additional Information:

• Sound Knowledge of Network Protocols.
• Basic programming abilities in Python or similar scripting language
• Mobile Applications (both iOS and Android) using tools like GenyMotion, Drozer, MobSF, Android Studio.
• Having an AWS Cloud Practioner Certification or Any other cloud certification shall be helpful. Any other security related certification like C|EH, CPent etc. Is a plus

Skills Required