As a Penetration Tester , you will play a crucial role in assessing and fortifying the security infrastructure of our clients' fintech systems. Your responsibilities will include identifying vulnerabilities, conducting penetration tests, and providing strategic recommendations to enhance the overall security posture of financial applications and platforms. This role entails leading security assessments and conducting penetration tests for Infrastructure, Network, Cloud, SDK’s, web & mobile application security testing. Roles & Responsibilities:
• Penetration Testing :
• Conduct thorough and methodical penetration tests on financial systems, applications, and networks to identify vulnerabilities and potential security risks.
• Web Applications: Conduct security assessments on web applications to identify vulnerabilities such as SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), and security misconfigurations. Evaluate the effectiveness of authentication mechanisms and authorization controls. Perform thorough testing of input validation and output encoding to prevent injection attacks; Mobile Application Testing; Cloud Security Testing; Network Infrastructure Testing
• Ensure that penetration testing activities explicitly cover the OWASP Top 10 vulnerabilities relevant to the organization's web applications.
• Ensure that penetration testing activities cover a broad range of MITRE ATT&CK tactics and techniques applicable to the organization's environment.
• Conduct Security configuration baseline assessments. Configuration Scanning and Analysis; Identify Misconfigurations and Vulnerabilities; Risk Assessment; Remediation Recommendations; Continuous Monitoring: Recommend or implement continuous monitoring solutions to ensure that security configurations remain in compliance over time.
• Adversary Emulation Threat Intelligence Analysis; Scenario Development; Tool Selection and Configuration; Credential Access and Privilege Escalation; Persistence and Stealth; Exploitation and Post-Exploitation; Social Engineering and Phishing; Network Segmentation Assessment; Detection Evasion Techniques; Emulate real-world adversarial behavior by incorporating MITRE ATT&CK tactics and techniques into penetration testing engagements.
• Vulnerability Management Vulnerability Identification; Vulnerability Assessment; Prioritization; Mitigation Planning; Implementation of Controls; Verification and Validation; Continuous Monitoring
• Threat Modeling Data Flow Analysis; Authentication and Authorization; Input Validation; Session Management; Data Storage; Communication Security; Cryptographic Controls; Error Handling and Logging; Third-Party Integrations
• QWASP Top 10
• MITRE ATT&CK Qualifications Graduate of Information Security or Computer Science degree program. 5-7+ years of experience in a similar role. Professional qualifications (one or more): CISSP, CCSP, OSCP, OSCE, GWAPT, GPEN, GXPN, OSEP, OSWE, OSED, CEH Candidate must have OSCP certification In-depth knowledge of relevant cybersecurity frameworks and standards (e.g., NIST, ISO 27001, PCI DSS, Cloud security benchmark). Scripting and Programming Skills: Proficiency in scripting languages (e.g., Python, Bash) and programming languages (e.g., C, Java, JavaScript) for custom tool development and automation of tasks. In-depth Understanding of Secure Coding Practices: Knowledge of secure coding techniques and code review processes to identify vulnerabilities in software. Typical Day in the Role
• Experience in leading security/vulnerability assessments and conducting penetration tests.
• Conduct penetration tests to discover and exploit vulnerabilities.
• Help review, assess, and prioritize vulnerabilities.
• Document findings and communicate their relevance efficiently to technical teams and senior management.
• Produce high-quality reports for clients.
• Work closely with the development and infrastructure teams and act as a subject matter expert on vulnerabilities and the best ways to mitigate them.
• Advanced Network Analysis and Forensics Skills: Skills in network traffic analysis, digital forensics, and incident response to understand attack vectors and trace malicious activities.
• Excellent verbal and written communication skills to effectively report and explain findings to both technical and non-technical stakeholders
