Datafin

Penetration Tester

IT – Software Testing
Stellenbosh – Western Cape

ENVIRONMENT:
ENSURE the business is prepared and skilled to mitigate any Cyber Security threat as the next Penetration Tester sought by a fast-paced & innovative Financial Institution. You will do this through the assessment and testing of applications and processes while identifying potential areas of weaknesses from a security perspective. The ideal candidate must possess a suitable IT-related BSc, BEng, BCom, Offensive Security / Ethical Hacking Training or a relevant Information Security Certification (e.g., OSWE, OSEP, Pentest+ or equivalent), have 3-5 Years’ experience in Cyber Security Testing with at least 2 years within the Financial Services / Banking sectors, have experience with the Agile and DevOps models, manual and automated security testing of infrastructure, networks, and web applicationsservices & Technical vulnerability assessments (CVE and CVS database knowledge). You must also have solid knowledge of TTP’s/MITRE Attack Framework, threat-attack landscape, OWASP Top 10 (Web, Mobile, API) and OSSINT & proficiency with Windows, Linux, UNIX, RedHat, MySQL, Oracle and at least 1 of these tech tools: Python, Bash, PowerShell, CPHPJava code.
 
DUTIES:
Conduct security assessments and testing –
  • Take ownership for the execution of the full security assessment lifecycle and engage with internal and external product and system owners to schedule and run assessments.
  • Provide security assurance on the applications/infrastructure/network related assessments. Present information substantiated by data to Information Security Officer to inform business decision making.
  • Conduct security reviews against external service providers (e.g., cloud, and data centres) to assess the integration of systems with 3rd parties (upstream / downstream).
  • Compile and deliver Penetration Test reports that provides evidence, motivation and severity of cyber security risks. Communicate to the business / relevant stakeholders on forums and committees.
 
Inter-team collaboration with the Cyber Security Function –
  • Provide subject matter expertise and participate in the development and communication of technical security standards and policies that comply with both internal and external (e.g., regulatory, compliance, best practice) directives.
  • Conduct team engagements to ascertain the security posture of the security controls, people, processes and procedures safeguarding of the said systems.
  • Foster and maintain the strong collaborative environment between the Offence and Defence teams and contribute to cross functional knowledge sharing.
 
External consulting to the business –
  • Acts as a technical advisor and subject matter expert, providing Cyber Security guidance and recommendations to departments and delivery teams across the business.
  • Work with Product Delivery teams and translate security requirements into application and infrastructure design elements.
  • Develop threat models based on requirements obtained through customer engagement / scoping sessions.
  • Contribute towards raising awareness of Cyber Security.
 
Best practice, tools and technologies –
  • Stay up to date with latest best practices, tactics, techniques, and procedures common within the threat-attack landscape pertinent to the company environment – in order to provide subject matter expertise and guidance to stakeholders.
  • Maintain existing tools and expand cyber offence software and hardware to support the security testing capabilities.
 
REQUIREMENTS:
  • A relevant tertiary qualification in Information Technology – IT Engineering – preferably BSc, BEng, BCom.
  • Offensive Security / Ethical Hacking Training or a relevant Information Security Certification (e.g., OSWE, OSEP, Pentest+ or equivalent).
  • 3-5 Years’ experience in Cyber Security Testing.
  • 2-3 Years Financial Services / Banking experience.
  • Risk Identification and communication relating to Cyber Security.
  • Experience with the Agile and DevOps models.
  • Manual and automated security testing of infrastructure, networks, and web applicationsservices.
  • Technical vulnerability assessments (CVE and CVS database knowledge).
  • Best practice technical reviews; using company and industry standards.
  • Common network protocols, system architecture, and operating systems.
  • Logical access reviews and audit.
  • Knowledge of TTP’s/MITRE Attack Framework, threat-attack landscape.
  • Strong communication and reporting skills, articulate risk to business.
  • Solution and white boarding of systems to be assessed.
  • Ability to readunderstand at least 1 scripting language (e.g., Python, Bash, PowerShell, CPHPJava code).
  • Experience in testing web services, webmobile applications, and cloud applications.
  • Proficiency with pen-testing tools (Security distro’s and intercepting proxy tools).
  • Understanding and familiarity of vulnerabilities included in methodologies such as OWASP Top 10 (Web, Mobile, API) and OSSINT.
  • Understanding of system architectures and platforms (e.g., Windows, UNIX, Linux and RedHat).
  • Understanding of tiered web applicationservicecloud architectures and related databases (MySQL, MSSQL and Oracle).
  • Understanding of networking protocols and architectures, WAF’s, web and reverse-proxies, DLP, e-mail proxy, DAM, firewalls and perimeter security technologies. End User Infrastructure Service technologies (e.g., Print Management Solutions).
 
Desirable –
  • Cyber Security Threat modelling and Attack-Path mapping.
  • Familiarity with industry regulatory requirements, specific to Information Security.
  • Reverse engineering of malwareexploits.
 
ATTRIBUTES:
  • Learning and researching.
  • Adhering to principles and values.
  • Delivering results and meeting customer expectations.
  • Presenting and communicating information.
  • Writing and Reporting.
  • Applying expertise and technology. 
  • Analysing.