Lead Penetration Tester

Introduction

At IBM, work is more than a job - it's a calling: To build. To design. To code. To consult. To think along with clients and sell. To make markets. To invent. To collaborate. Not just to do something better, but to attempt things you've never thought possible. Are you ready to lead in this new era of technology and solve some of the world's most challenging problems? If so, lets talk.

About Business Unit

IBM’s Cloud and Cognitive software business is committed to bringing the power of IBM’s Cloud and Watson/AI technologies to life for our clients and ecosystem partners around the world. IBM provides you with the most comprehensive and consistent approach to development, security and operations across hybrid environments—with complete software solutions for business and IT operations, development, data science, security, and management. Our experts and software capabilities help organizations develop applications once and deploy them anywhere, integrate security across the breadth of their IT estate, and automate operations with management visibility. With IBM, you also have access to new skills and methods, governance and management approaches, and a deep ecosystem of industry experts and partners.

Wonder if IBM is the one for you? :

In a world where technology never stands still, we understand that, dedication to our clients success, innovation that matters, and trust and personal responsibility in all our relationships, lives in what we do as IBMers as we strive to be the catalyst that makes the world work better.

Being an IBMer means you’ll be able to learn and develop yourself and your career, you’ll be encouraged to be courageous and experiment everyday, all whilst having continuous trust and support in an environment where everyone can thrive whatever their personal or professional background.

Our IBMers are growth minded, always staying curious, open to feedback and learning new information and skills to constantly transform themselves and our company. They are trusted to provide on-going feedback to help other IBMers grow, as well as collaborate with colleagues keeping in mind a team focused approach to include different perspectives to drive exceptional outcomes for our customers. The courage our IBMers have to make critical decisions everyday is essential to IBM becoming the catalyst for progress, always embracing challenges with resources they have to hand, a can-do attitude and always striving for an outcome focused approach within everything that they do.

Are you ready to be an IBMer?

About IBM

IBM's greatest invention is the IBMer. We believe that through the application of intelligence, reason and science, we can improve business, society and the human condition, bringing the power of an open hybrid cloud and AI strategy to life for our clients and partners around the world.Restlessly reinventing since 1911, we are not only one of the largest corporate organizations in the world, we’re also one of the biggest technology and consulting employers, with many of the Fortune 50 companies relying on the IBM Cloud to run their business.At IBM, we pride ourselves on being an early adopter of artificial intelligence, quantum computing and blockchain. Now it’s time for you to join us on our journey to being a responsible technology innovator and a force for good in the world.

Your Role And Responsibilities

Product-Security Technology Centre is responsible for ensuring that IBM products are secure by conducting timely Security reviews, penetration testing and following SPbD practices. As a penetration tester you will perform security testing of IBM product and SAAS offerings in development and production environment. You will also closely work with IBM product development teams to strengthen the security posture of their products by participating in threat model, source code security testing and share best practices / lessons learnt for secure coding/design.

Key Responsibilities

• Plan the penetration test
• Select, design and create appropriate tools for testing
• Perform the penetration test on computer systems, networks, web-based and mobile applications
• Document your methodologies, findings
• Gather the data intelligence not only from the output of the automated penetration tools but also from information gathered from interaction with product teams , previous results , threat model and source code scanning inputs.
• Review your findings and feedback to development teams
• Analyse the outcomes and make recommendations for security improvements
• Carry out application, network, systems and infrastructure penetration tests
• Review physical security and perform social engineering tests where appropriate
• Evaluate and select from a range of penetration testing tools
• Keep up to date with latest testing and ethical hacking methods
• Deploy the testing methodology and collect data
• Report on findings to a range of stakeholders
• Make suggestions for security improvements
• Enhance existing methodology material
  
  

Preferred Education

Bachelor's Degree

Required Technical And Professional Expertise

• Experience – More than 5years in Cybersecurity
• Web Application Testing
• Basic understanding of HTTP Protocol
• HTTP Methods, Request/Response Headers, Cookies, TCP/IP connections over HTTP etc.
• Basic understanding of HTML/JavaScript
• Good Understanding of security vulnerabilities, OWASP Top 10 vulnerabilities
  
  

Automated Testing

• Must have knowledge of at least one of IBM AppScan OR BurpSuite scanner. (Good to have knowledge of both the tools.)
• Should be able to configure automated scanner (such as Login sequence, manually exploring critical flaws, Policy customization, scan throttling, etc…) to perform successful scan.
• Assessment of scanner results and intelligently identifying false positives from the scan results.
• Knowledge of Burp features mainly, Spider, Intruder, Scanner, Repeater and Extender.
  
  

Manual Testing.

• Should be able to understand the above mentioned OWASP Top 10 categories to perform manual testing.
• Flaws like, Authentication (session management) testing, CSRF, business logic testing which are not detected by an automated scanner must be identified using manual testing.
• Understanding of the workflow of the application and identifying the entry points to detect possible vulnerabilities.
  
  

Preferred Professional And Technical Expertise

• Webservice Testing
• SOAP/REST APIs testing.
• Configuring cURL commands and POSTMAN tool to capture the request in automated scanner.
  
  

Network Testing

• Basic understanding of networking protocols such as TCP, UDP, DNS, DHCP etc.
• Basic understanding of network devices like router, switches, firewall/IDS/IPS etc..
• Network scanning tools such as Nessus, Nmap, Metasploit etc.
• Exploitation and Post Exploitation of network vulnerabilities.
• Threat Model and Source code security scanning
• Perform/Participate in threat model creation/design or review
• Perform source code security scanning using (SAST) tools like Sonarqube, AppScan, Mend and other popular open-source tools.
  
  

Preferred Technical And Professional Experience

• Security Certifications
• Any of the security certifications such as CEH, ECSA, EWPT, EWPTX, OSCP, GPEN, GWAPT etc