Friday, September 21, 2018

Web Application Security Test Engineer

Title:                       Web Application Security Test Engineer
Work Location:     Pleasanton, CA
 
Job Description:
 
Scope of Work (SOW) - Web Application Security Test Engineer
  
  
  • The scope of duties for the Web Application Security Test Engineer include, but is not limited to, the following:
  • Acquire complete understanding of SCIF's technology and information systems.
  • Capture and define the security test requirements.
  • Plan, research, and design robust security architecture test strategy for any IT project.
  • Perform vulnerability testing, risk analysis, and security assessments.
  • Research security standards, security systems and authentication protocols with SCIF.
  • Apply testing methodologies and tools to complex applications for finding weaknesses and security vulnerabilities early in the SDLC process.
  • Understanding of Application security principles, risks, attacks, OWASP security guidelines and best practices to perform SAST - Static Application Security Testing, DAST - Dynamic Application Security Testing and IAST - Interactive Application Security Testing.
  • Develop test requirements for Web Applications Security Testing for all releases using automated tools and manual testing.
  • Design test plans for DAST, OWASP Top 10 Most Critical Web Application Security Risks, public key infrastructures (PKIs), including use of certification authorities (CAs) and digital signatures.
  • Proficiency in Applications Security testing tools like Acunetix Web Vulnerability Scanner / Burp Suite / Fortify WebInspect, Nessus, Nmap and other open source tools.
  • Define, implement and maintain Corporate or Enterprise security policies and procedures
  • Oversee security awareness programs and educational efforts
  • Respond immediately to security-related incidents and provide a thorough post-event analysis.
  • Define all entry points to the system, such as: files, sockets, hypertext transfer protocol (HTTP) requests, named pipes, pluggable activities, protocol handlers, malicious server responses and so on.
Analyze potential threats and risk analysis based on the entry points defined. Example of threats and the methods to analyze them. 

Technical and Demonstrable Skills

The Consultant resource(s) shall possess most of the following skills:
  • At least 5 years' experience doing web application security testing.
  • Exploit security flaws and vulnerabilities with attack simulations on multiple projects working against specific client focused scopes of work.
  • Ability to flow from black box to gray box to white box tests dependent on client needs.
  • Ability to test a variety of client form factors and technologies based on scopes of work
  • Ability to solve complex technical problems and articulate to non-IT personnel.
  • Ability to effectively provide technical risk assessment of technologies in networks, applications, wireless, social engineering, code reviews and war dialing.
  • Ability to perform vulnerability assessments and penetration testing, utilizing tools commercial and open source tools.
  • Perform, review and analyze security vulnerability data to identify applicability and false positives.
  • Research and develop testing tools, techniques, and process improvements.
  • Create risk based security code reviews (static & dynamic).
  • Conduct penetration testing in line with Open Web application Security project
  • Mentor junior engineers to build their skills and contribution levels
  • Write technical reports that include suggested resolution for identified problem areas and perform operational risk assessment.
  • Support company through the testing and evaluation of new technologies and security controls.
  • Assist and support Security Test Analysts as they perform vulnerability, network and network security assessments.
  • May require the performance of other essential functions depending upon work location or assignment.
  • Experience with dev ops and SIEM tools (ie. Chef, Splunk and Vagrant)
  • Experience with scripting languages (e.g. python, PERL, SQL) a plus
  • Ability to perform below tasks:
    • Dynamic Application Security Testing (DAST)
    • Static Application Security Testing (SAST)
    • Interactive Application Security Testing (IAST)
    • Web Application Penetration Testing
    • Product Security Testing
    • Cloud Application Security Testing
    • Web Services Security Testing
    • Security Code Review
    • Network Security Assessment
  • Security Testing Tools: IBM Appscan, Burp Suite, Tamper Data, Live http Headers, Client Fortify, VeraCode, OWASP Top 10, N-Stealth, Hailstorm, Paros, SANS Top 20, Acunetix, Nessus

Knowledge
The Consultant resource(s) shall be knowledgeable in most of the following areas:
  • Knowledge and understanding of basic information security principles (eg. OWASP Top Ten)
  • Knowledge of security best practice guidelines (ISO 17799, NIST, etc.)
  • Relevant professional experience including working knowledge of the Penetration Testing.
    • OSI Layers and application protocols
    • TCP/IP networking including IP classes, subnets, multicast, NAT
    • WINS, DNS, and DHCP, Network troubleshooting
    • Microsoft OS and Server technologies
    • Remote access methods
    • Backup and disaster recovery methodologies
    • Patch management technologies and processes
    • Wireless protocols and services
    • Network analysis tools
    • Familiarity with UNIX a plus
  • Application Security and IS certifications is preferred
    • GIAC Certified Web Application Defender (GWEB)
    • Offensive Security Web Expert (OSWE)
    • CISSP, CISM, CISA, CEH, CEPT, GIAC, OSCP
  • Preferred Certifications: 
    * GIAC Certified Web Application Defender (GWEB) 
    * Offensive Security Web Expert (OSWE)

Himesh Gond
Lancesoft Inc
13454 Sunrise Valley Drive, Suite 120, Herndon, VA 20171
Direct:(703) 889-6535 | Fax:(703) 935-0339
HimeshG@LanceSoft.com | www.LanceSoft.com