IT – Software Testing
Stellenbosh – Western Cape
ENSURE the business is prepared and skilled to mitigate any Cyber Security threat as the next Penetration Tester sought by a fast-paced & innovative Financial Institution. You will do this through the assessment and testing of applications and processes while identifying potential areas of weaknesses from a security perspective. The ideal candidate must possess a suitable IT-related BSc, BEng, BCom, Offensive Security / Ethical Hacking Training or a relevant Information Security Certification (e.g., OSWE, OSEP, Pentest+ or equivalent), have 3-5 Years’ experience in Cyber Security Testing with at least 2 years within the Financial Services / Banking sectors, have experience with the Agile and DevOps models, manual and automated security testing of infrastructure, networks, and web applicationsservices & Technical vulnerability assessments (CVE and CVS database knowledge). You must also have solid knowledge of TTP’s/MITRE Attack Framework, threat-attack landscape, OWASP Top 10 (Web, Mobile, API) and OSSINT & proficiency with Windows, Linux, UNIX, RedHat, MySQL, Oracle and at least 1 of these tech tools: Python, Bash, PowerShell, CPHPJava code.
Conduct security assessments and testing –
- Take ownership for the execution of the full security assessment lifecycle and engage with internal and external product and system owners to schedule and run assessments.
- Provide security assurance on the applications/infrastructure/network related assessments. Present information substantiated by data to Information Security Officer to inform business decision making.
- Conduct security reviews against external service providers (e.g., cloud, and data centres) to assess the integration of systems with 3rd parties (upstream / downstream).
- Compile and deliver Penetration Test reports that provides evidence, motivation and severity of cyber security risks. Communicate to the business / relevant stakeholders on forums and committees.
Inter-team collaboration with the Cyber Security Function –
- Provide subject matter expertise and participate in the development and communication of technical security standards and policies that comply with both internal and external (e.g., regulatory, compliance, best practice) directives.
- Conduct team engagements to ascertain the security posture of the security controls, people, processes and procedures safeguarding of the said systems.
- Foster and maintain the strong collaborative environment between the Offence and Defence teams and contribute to cross functional knowledge sharing.
External consulting to the business –
- Acts as a technical advisor and subject matter expert, providing Cyber Security guidance and recommendations to departments and delivery teams across the business.
- Work with Product Delivery teams and translate security requirements into application and infrastructure design elements.
- Develop threat models based on requirements obtained through customer engagement / scoping sessions.
- Contribute towards raising awareness of Cyber Security.
Best practice, tools and technologies –
- Stay up to date with latest best practices, tactics, techniques, and procedures common within the threat-attack landscape pertinent to the company environment – in order to provide subject matter expertise and guidance to stakeholders.
- Maintain existing tools and expand cyber offence software and hardware to support the security testing capabilities.
- A relevant tertiary qualification in Information Technology – IT Engineering – preferably BSc, BEng, BCom.
- Offensive Security / Ethical Hacking Training or a relevant Information Security Certification (e.g., OSWE, OSEP, Pentest+ or equivalent).
- 3-5 Years’ experience in Cyber Security Testing.
- 2-3 Years Financial Services / Banking experience.
- Risk Identification and communication relating to Cyber Security.
- Experience with the Agile and DevOps models.
- Manual and automated security testing of infrastructure, networks, and web applicationsservices.
- Technical vulnerability assessments (CVE and CVS database knowledge).
- Best practice technical reviews; using company and industry standards.
- Common network protocols, system architecture, and operating systems.
- Logical access reviews and audit.
- Knowledge of TTP’s/MITRE Attack Framework, threat-attack landscape.
- Strong communication and reporting skills, articulate risk to business.
- Solution and white boarding of systems to be assessed.
- Ability to readunderstand at least 1 scripting language (e.g., Python, Bash, PowerShell, CPHPJava code).
- Experience in testing web services, webmobile applications, and cloud applications.
- Proficiency with pen-testing tools (Security distro’s and intercepting proxy tools).
- Understanding and familiarity of vulnerabilities included in methodologies such as OWASP Top 10 (Web, Mobile, API) and OSSINT.
- Understanding of system architectures and platforms (e.g., Windows, UNIX, Linux and RedHat).
- Understanding of tiered web applicationservicecloud architectures and related databases (MySQL, MSSQL and Oracle).
- Understanding of networking protocols and architectures, WAF’s, web and reverse-proxies, DLP, e-mail proxy, DAM, firewalls and perimeter security technologies. End User Infrastructure Service technologies (e.g., Print Management Solutions).
- Cyber Security Threat modelling and Attack-Path mapping.
- Familiarity with industry regulatory requirements, specific to Information Security.
- Reverse engineering of malwareexploits.
- Learning and researching.
- Adhering to principles and values.
- Delivering results and meeting customer expectations.
- Presenting and communicating information.
- Writing and Reporting.
- Applying expertise and technology.