Trabajos
>
Monterrey

    Application Penetration Tester - Monterrey, México - CHUBB

    CHUBB
    CHUBB Monterrey, México

    hace 6 días

    Default job background
    Regular - De jornada completa
    Descripción

    Application Penetration Tester

    The Chubb Information Security team is responsible for protecting information and information systems against unauthorized access, detecting, and responding to attempts to gain access and enabling access through our identity processes. Chubb operates a global information security team supporting local business units across five regions (Asia Pacific, North America, Latin America, Japan, and Europe including the Middle East and Africa). Our global information security strategy is developed with input from each of these regions and translated into programs that are then executed by the regions using resources from each region (especially, our infrastructure partners).

    The Application Vulnerability Management team is tasked with identifying security vulnerabilities in Chubb applications, using both automated scanning tools and manual penetration testing activities.

    The Application Penetration Tester role is specifically responsible for the overall vulnerability remediation status of the global application portfolio. This includes engaging directly with application development teams and their management to address topics related to application vulnerabilities and remediation efforts, such as reporting on scan results, managing remediation plans, and receiving updates from development teams.

    The candidate will be required to maintain accurate vulnerability remediation metrics and help provide regular reports to IT leadership on global remediation progress.

    The role will evolve to include management of global application risk rating, an existing process which is being reviewed for modification to support security architecture initiatives.

    Primary Responsibilities

  • Manage the overall vulnerability remediation status of the global application portfolio.
  • Primary point of contact with IT application development teams for remediation related matters
  • Accurately track vulnerability remediation efforts
  • Hold regular status calls with portfolio leads as necessary to maintain a consistent channel of communication.
  • Follow up on overdue vulnerabilities with portfolio leads.
  • Manage global application risk rating processes.
  • Ensure timely risk scoring of new and changing applications.
  • Ensure enterprise application repository information is up to date with security and risk information.
  • Create and distribute regular vulnerability status reports to portfolio leads and CIOs.
  • Provide recommendations for automation or other process improvement suggestions for operational processes.

    • Minimum Qualifications:

  • Prior experience with managing Information Security projects
  • Bachelor's degree in computer science, Engineering, or other Engineering or Technical discipline or equivalent relevant experience
  • Minimum of 2 years' professional experience performing web application pen testing, API endpoint testing and, mobile penetration testing (IOS & Android).
  • Knowledge with prioritizing remediation activities with operational teams through risk ratings of vulnerabilities and assets
  • Knowledge of industry standards regarding vulnerability management including Common Vulnerabilities and Exposures (CVE) and Common Vulnerability Scoring System (CVSS)
  • Knowledge of technology and security topics including network security, wireless security, application security, infrastructure hardening and security baselines, web server and database security
  • Knowledge of penetration testing principles, tools, and techniques.
  • Working experience with industry frameworks (OWASP, NIST,
  • Comfortable working outside their comfort zone with a willingness to learn.
  • Excellent verbal and written communication skills
  • Strong analytical skills
  • Strong team player with ability to work independently.
  • Strong project management skills and ability to multi-task
  • Self-motivated with strong initiative
  • Knowledge of computer networking concepts and protocols, and application security methodologies
  • Skill in performing impact/risk assessments.

    • Requirements:

  • Good understanding of secure SDLC, data protection, information security principles and exploit/ attack techniques.
  • Familiar with all basic concepts related to networking, applications, operating system functionality and be able to apply application logic manipulation, bypassing security controls and exploit development.
  • Assist with scoping engagements, leading from kickoff through remediation, and track vulnerabilities as per timelines.
  • Improve operational efficiency by building and evaluating workflow processes, procedures, checklists, automation, and tooling.
  • Security testing tools including Kali Linux, Metasploit, Nmap, Burp Suite, OWASP ZAP Proxy, Santoku, MSF, GenyMotion, Appie, APK tool, JD-GUI, SQL Map, etc.
  • Skilled in identifying OWASP TOP 10 (Web & Mobile) vulnerabilities.
  • Develop secure coding checklist to applications based on OWASP ASVS (Application Security Verification Standards).
  • Lead and execute security assessments to identify business risk, likelihood and impact an attacker may have on the system due to bad coding errors and weak or missing security controls.
  • Experience with conducting reverse engineering on mobile applications, identifying hard coded passwords, SQLi and key chain distributions including applications with anti-emulator and obfuscation protections.
  • Experience conducting full-scope assessments and penetration tests including - social engineering, reverse engineering, server & client-side attacks and web & mobile application exploitation.
  • Identify and prioritize key risk areas balancing the business risk and cyber threats.
  • Code analysis for control flow, bypass application logics and security flaws.
  • Utilize attacker tools, tactics, and procedures used to perform analysis and identify vulnerabilities.
  • Validate security weaknesses, research new attack techniques, develop custom scripts, exploits, tools, and methodologies to enhance penetration testing processes etc.
  • Identify and demonstrate vulnerabilities that may be used by an adversary to exploit components of the target systems.
  • Analyze security findings, including risk analysis and root cause analysis.
  • Risk rate the vulnerabilities based on actual impact to the business.
  • Ability to document security weaknesses, including steps to reproduce and explain technical details in a concise, understandable manner.
  • Develop comprehensive and accurate security penetration reports.
  • Research and formulate practical short and long term remediations for vulnerabilities.
  • Effectively communicate findings and strategy to business stakeholders, including technical and executive leadership.
  • Work closely with development teams to ensure closing of remediated vulnerabilities until deployed to production.
  • Ability to maintain and develop dashboards to track the status of security vulnerabilities.
  • Follow up on the overdue vulnerabilities to meet the compliance requirements.
  • Good to have security certifications: GIAC Web Application Penetration Tester (GWAPT), GIAC Penetration Tester (GPEN), Licensed Penetration Tester (LPT), Certified Ethical Hacker (CEH), OSCP or OCWE, etc.
  • Active team player with interpersonal, collaborative, and consultative skills.
  • Strong, clear, and concise verbal and written communication skills
  • Ability to adapt, reprioritize project work, and help drive the team's focus as priorities shift or requirements change

    • Application Penetration Tester

    The Chubb Information Security team is responsible for protecting information and information systems against unauthorized access, detecting, and responding to attempts to gain access and enabling access through our identity processes. Chubb operates a global information security team supporting local business units across five regions (Asia Pacific, North America, Latin America, Japan, and Europe including the Middle East and Africa). Our global information security strategy is developed with input from each of these regions and translated into programs that are then executed by the regions using resources from each region (especially, our infrastructure partners).

    The Application Vulnerability Management team is tasked with identifying security vulnerabilities in Chubb applications, using both automated scanning tools and manual penetration testing activities.

    The Application Penetration Tester role is specifically responsible for the overall vulnerability remediation status of the global application portfolio. This includes engaging directly with application development teams and their management to address topics related to application vulnerabilities and remediation efforts, such as reporting on scan results, managing remediation plans, and receiving updates from development teams.

    The candidate will be required to maintain accurate vulnerability remediation metrics and help provide regular reports to IT leadership on global remediation progress.

    The role will evolve to include management of global application risk rating, an existing process which is being reviewed for modification to support security architecture initiatives.

    Primary Responsibilities

  • Manage the overall vulnerability remediation status of the global application portfolio.
  • Primary point of contact with IT application development teams for remediation related matters
  • Accurately track vulnerability remediation efforts
  • Hold regular status calls with portfolio leads as necessary to maintain a consistent channel of communication.
  • Follow up on overdue vulnerabilities with portfolio leads.
  • Manage global application risk rating processes.
  • Ensure timely risk scoring of new and changing applications.
  • Ensure enterprise application repository information is up to date with security and risk information.
  • Create and distribute regular vulnerability status reports to portfolio leads and CIOs.
  • Provide recommendations for automation or other process improvement suggestions for operational processes.

    • Minimum Qualifications:

  • Prior experience with managing Information Security projects
  • Bachelor's degree in computer science, Engineering, or other Engineering or Technical discipline or equivalent relevant experience
  • Minimum of 2 years' professional experience performing web application pen testing, API endpoint testing and, mobile penetration testing (IOS & Android).
  • Knowledge with prioritizing remediation activities with operational teams through risk ratings of vulnerabilities and assets
  • Knowledge of industry standards regarding vulnerability management including Common Vulnerabilities and Exposures (CVE) and Common Vulnerability Scoring System (CVSS)
  • Knowledge of technology and security topics including network security, wireless security, application security, infrastructure hardening and security baselines, web server and database security
  • Knowledge of penetration testing principles, tools, and techniques.
  • Working experience with industry frameworks (OWASP, NIST,
  • Comfortable working outside their comfort zone with a willingness to learn.
  • Excellent verbal and written communication skills
  • Strong analytical skills
  • Strong team player with ability to work independently.
  • Strong project management skills and ability to multi-task
  • Self-motivated with strong initiative
  • Knowledge of computer networking concepts and protocols, and application security methodologies
  • Skill in performing impact/risk assessments.

    • Requirements:

  • Good understanding of secure SDLC, data protection, information security principles and exploit/ attack techniques.
  • Familiar with all basic concepts related to networking, applications, operating system functionality and be able to apply application logic manipulation, bypassing security controls and exploit development.
  • Assist with scoping engagements, leading from kickoff through remediation, and track vulnerabilities as per timelines.
  • Improve operational efficiency by building and evaluating workflow processes, procedures, checklists, automation, and tooling.
  • Security testing tools including Kali Linux, Metasploit, Nmap, Burp Suite, OWASP ZAP Proxy, Santoku, MSF, GenyMotion, Appie, APK tool, JD-GUI, SQL Map, etc.
  • Skilled in identifying OWASP TOP 10 (Web & Mobile) vulnerabilities.
  • Develop secure coding checklist to applications based on OWASP ASVS (Application Security Verification Standards).
  • Lead and execute security assessments to identify business risk, likelihood and impact an attacker may have on the system due to bad coding errors and weak or missing security controls.
  • Experience with conducting reverse engineering on mobile applications, identifying hard coded passwords, SQLi and key chain distributions including applications with anti-emulator and obfuscation protections.
  • Experience conducting full-scope assessments and penetration tests including - social engineering, reverse engineering, server & client-side attacks and web & mobile application exploitation.
  • Identify and prioritize key risk areas balancing the business risk and cyber threats.
  • Code analysis for control flow, bypass application logics and security flaws.
  • Utilize attacker tools, tactics, and procedures used to perform analysis and identify vulnerabilities.
  • Validate security weaknesses, research new attack techniques, develop custom scripts, exploits, tools, and methodologies to enhance penetration testing processes etc.
  • Identify and demonstrate vulnerabilities that may be used by an adversary to exploit components of the target systems.
  • Analyze security findings, including risk analysis and root cause analysis.
  • Risk rate the vulnerabilities based on actual impact to the business.
  • Ability to document security weaknesses, including steps to reproduce and explain technical details in a concise, understandable manner.
  • Develop comprehensive and accurate security penetration reports.
  • Research and formulate practical short and long term remediations for vulnerabilities.
  • Effectively communicate findings and strategy to business stakeholders, including technical and executive leadership.
  • Work closely with development teams to ensure closing of remediated vulnerabilities until deployed to production.
  • Ability to maintain and develop dashboards to track the status of security vulnerabilities.
  • Follow up on the overdue vulnerabilities to meet the compliance requirements.
  • Good to have security certifications: GIAC Web Application Penetration Tester (GWAPT), GIAC Penetration Tester (GPEN), Licensed Penetration Tester (LPT), Certified Ethical Hacker (CEH), OSCP or OCWE, etc.
  • Active team player with interpersonal, collaborative, and consultative skills.
  • Strong, clear, and concise verbal and written communication skills
  • Ability to adapt, reprioritize project work, and help drive the team's focus as priorities shift or requirements change.