Penetration Tester

Overview

IBM Infrastructure is a catalyst that makes the world work better because our clients demand it. Heterogeneous environments, the explosion of data, digital automation, and cybersecurity threats require hybrid cloud infrastructure that only IBM can provide.

Your ability to be creative, a forward-thinker and to focus on innovation that matters, is all support by our growth minded culture as we continue to drive career development across our teams. Collaboration is key to IBM Infrastructure success, as we bring together different business units and teams that balance their priorities in a way that best serves our client's needs.

IBM's product and technology landscape includes Research, Software, and Infrastructure. Entering this domain positions you at the heart of IBM, where growth and innovation thrive.

Your Role And Responsibilities

Your Role and Responsibilities

Infra Security Center is responsible for ensuring that IBM products are secure by conducting timely Security reviews, penetration testing and following SPbD practices. As a penetration tester you will perform security testing of IBM product (Cloud/on prim) offerings in development and production environment. You will also closely work with IBM product development teams to strengthen the security posture of their products by participating in threat model, source code security testing and share best practices / lessons learnt for secure coding/design.

Key Responsibilities

• Plan the penetration test
• Select, design and create appropriate tools for testing
• Perform the penetration test on computer systems, networks, web-based and mobile applications
• Document your methodologies, findings
• Gather the data intelligence not only from the output of the automated penetration tools but also from information gathered from interaction with product teams , previous results , threat model and source code scanning inputs.
• Review your findings and feedback to development teams
• Analyse the outcomes and make recommendations for security improvements
• Carry out application, network, systems and infrastructure penetration tests
• Review physical security and perform social engineering tests where appropriate
• Evaluate and select from a range of penetration testing tools
• Keep up to date with latest testing and ethical hacking methods
• Deploy the testing methodology and collect data
• Report on findings to a range of stakeholders
• Make suggestions for security improvements
• Enhance existing methodology material
  
  

Bachelor's Degree

Required Technical And Professional Expertise

Required Professional and Technical Expertise

• Experience – More than 1-2 years in Cybersecurity
• Web Application Testing
• Basic understanding of HTTP Protocol
• HTTP Methods, Request/Response Headers, Cookies, TCP/IP connections over HTTP etc.
• Basic understanding of HTML/JavaScript
• Good Understanding of security vulnerabilities, OWASP Top 10 vulnerabilities
• Basic understanding of storage domain
  
  

Automated Testing

• Must have knowledge of at least one of ZAP OR BurpSuite scanner. (Good to have knowledge of both the tools.)
• Should be able to configure automated scanner (such as Login sequence, manually exploring critical flaws, Policy customization, scan throttling, etc…) to perform successful scan.
• Assessment of scanner results and intelligently identifying false positives from the scan results.
• Knowledge of Burp features mainly, Spider, Intruder, Scanner, Repeater and Extender.
  
  

Manual Testing.

• Should be able to understand the above mentioned OWASP Top 10 categories to perform manual testing.
• Flaws like, Authentication (session management) testing, CSRF, business logic testing which are not detected by an automated scanner must be identified using manual testing.
• Understanding of the workflow of the application and identifying the entry points to detect possible vulnerabilities.