Job Requirements
Skills
Job description for IT Security Consultant - Code Review specialization at Xtremax Pte Ltd
We are looking for experienced security professionals who can help our clients achieve a secured environment for their applications and web information. You must have strong experience in performing penetration testing and vulnerability management services for applications, network systems, operating systems and databases. Candidates should have experience with black box, grey box, and white box testing. Selected candidates will work on a whole-of-government platform that hosts close to 500 web applications.
Responsibilities
- Perform Secure Code Reviews of the application code using both Manual and Automated Approach.
- Conduct security assessments such as penetration and vulnerability tests
- Keep updated on knowledge of the IT security industry: including awareness of new or revised security solutions, security standards, trends / best practices, offensive techniques and tools
- Perform Blackbox/Graybox testing of Web/Mobile/Thick client applications
- Perform Network Vulnerability Assessments and Penetration Testing
- Risk Evaluation of observed vulnerabilities based on common risk scoring techniques such as CVSS
- Knowledge-share with team on techniques and results
- Create detailed report of findings and recommendations after testing is complete and present to stakeholders
- Coordinate with developers/stakeholders on the findings for appropriate fixes
- Stay up-to-date in current tools, techniques, and vulnerabilities to incorporate into testing practices
Requirements
- Minimum 3 years experience in specifically Security Testing function
- Minimum 2 years of experience in performing automated secure code review using tools such as Microfocus Fortify or Checkmarx and manual code review (by reading codes) to identify potential vulnerabilities.
- Shall have knowledge of at-least two major programming languages such as Java and .Net.
- Degree in Computer Science / IT Security or other related disciplines
- Should have an overall exposure and understanding of Application and Network Security testing
- Strong knowledge of the OWASP Top 10, OWASP Mobile Top 10, SANS top 25. Detailed knowledge of common web application attack vectors such as SQL injection, CSRF, XSS, Session Management issues, Insecure Direct Object reference, Click jacking, buffer overflows, etc.
- Experience in manual application penetration testing of web- based applications, thick-client applications, mobile applications, web services, API s etc.
- Experience in manual mobile application penetration testing on platforms like Android, IOS, etc both client and server side applications would be preferrred.
- Should have knowledge on Risk Rating Standards like DREAD, CVSS etc.
- Experience in automated web application vulnerability scanners (e.g. Web inspect, Burpsuite Pro, etc)
- Should have performed Black Box / Grey Box Application penetration testing.
- Good understanding of application protocols such as HTTP, SAML, OAUTH, OpenID Connect,etc.
- Good understanding of network technologies and protocols such as NIPS, IDS, TLS/SSL, DLP, firewalls, WAF, DNS and other common technologies and protocols.
- Experience in performing Network Penetration Testing for both internal and external networks.
- Knowledge in end-to-end flow on executing application and network penetration testing
- Should be OSCP or CREST CRT certified.
- Should be able to work as individual contributor or as team player wherever required