Application Penetration Tester
Mexico
Application Penetration Tester
The Chubb Information Security team is responsible for protecting information and information systems against unauthorized access, detecting, and responding to attempts to gain access and enabling access through our identity processes. Chubb operates a global information security team supporting local business units across five regions (Asia Pacific, North America, Latin America, Japan, and Europe including the Middle East and Africa). Our global information security strategy is developed with input from each of these regions and translated into programs that are then executed by the regions using resources from each region (especially, our infrastructure partners).
The Application Vulnerability Management team is tasked with identifying security vulnerabilities in Chubb applications, using both automated scanning tools and manual penetration testing activities.
The Application Penetration Tester role is specifically responsible for the overall vulnerability remediation status of the global application portfolio. This includes engaging directly with application development teams and their management to address topics related to application vulnerabilities and remediation efforts, such as reporting on scan results, managing remediation plans, and receiving updates from development teams.
The candidate will be required to maintain accurate vulnerability remediation metrics and help provide regular reports to IT leadership on global remediation progress.
The role will evolve to include management of global application risk rating, an existing process which is being reviewed for modification to support security architecture initiatives.
Primary Responsibilities
- Manage the overall vulnerability remediation status of the global application portfolio.
- Primary point of contact with IT application development teams for remediation related matters
- Accurately track vulnerability remediation efforts
- Hold regular status calls with portfolio leads as necessary to maintain a consistent channel of communication.
- Follow up on overdue vulnerabilities with portfolio leads.
- Manage global application risk rating processes.
- Ensure timely risk scoring of new and changing applications.
- Ensure enterprise application repository information is up to date with security and risk information.
- Create and distribute regular vulnerability status reports to portfolio leads and CIOs.
- Provide recommendations for automation or other process improvement suggestions for operational processes.
Minimum Qualifications:
- Prior experience with managing Information Security projects
- Bachelor’s degree in computer science, Engineering, or other Engineering or Technical discipline or equivalent relevant experience
- Minimum of 2 years’ professional experience performing web application pen testing, API endpoint testing and, mobile penetration testing (IOS & Android).
- Knowledge with prioritizing remediation activities with operational teams through risk ratings of vulnerabilities and assets
- Knowledge of industry standards regarding vulnerability management including Common Vulnerabilities and Exposures (CVE) and Common Vulnerability Scoring System (CVSS)
- Knowledge of technology and security topics including network security, wireless security, application security, infrastructure hardening and security baselines, web server and database security
- Knowledge of penetration testing principles, tools, and techniques.
- Working experience with industry frameworks (OWASP, NIST, etc.)
- Comfortable working outside their comfort zone with a willingness to learn.
- Excellent verbal and written communication skills
- Strong analytical skills
- Strong team player with ability to work independently.
- Strong project management skills and ability to multi-task
- Self-motivated with strong initiative
- Knowledge of computer networking concepts and protocols, and application security methodologies
- Skill in performing impact/risk assessments.
Requirements:
- Good understanding of secure SDLC, data protection, information security principles and exploit/ attack techniques.
- Familiar with all basic concepts related to networking, applications, operating system functionality and be able to apply application logic manipulation, bypassing security controls and exploit development.
- Assist with scoping engagements, leading from kickoff through remediation, and track vulnerabilities as per timelines.
- Improve operational efficiency by building and evaluating workflow processes, procedures, checklists, automation, and tooling.
- Security testing tools including Kali Linux, Metasploit, Nmap, Burp Suite, OWASP ZAP Proxy, Santoku, MSF, GenyMotion, Appie, APK tool, JD-GUI, SQL Map, etc.
- Skilled in identifying OWASP TOP 10 (Web & Mobile) vulnerabilities.
- Develop secure coding checklist to applications based on OWASP ASVS (Application Security Verification Standards).
- Lead and execute security assessments to identify business risk, likelihood and impact an attacker may have on the system due to bad coding errors and weak or missing security controls.
- Experience with conducting reverse engineering on mobile applications, identifying hard coded passwords, SQLi and key chain distributions including applications with anti-emulator and obfuscation protections.
- Experience conducting full-scope assessments and penetration tests including - social engineering, reverse engineering, server & client-side attacks and web & mobile application exploitation.
- Identify and prioritize key risk areas balancing the business risk and cyber threats.
- Code analysis for control flow, bypass application logics and security flaws.
- Utilize attacker tools, tactics, and procedures used to perform analysis and identify vulnerabilities.
- Validate security weaknesses, research new attack techniques, develop custom scripts, exploits, tools, and methodologies to enhance penetration testing processes etc.
- Identify and demonstrate vulnerabilities that may be used by an adversary to exploit components of the target systems.
- Analyze security findings, including risk analysis and root cause analysis.
- Risk rate the vulnerabilities based on actual impact to the business.
- Ability to document security weaknesses, including steps to reproduce and explain technical details in a concise, understandable manner.
- Develop comprehensive and accurate security penetration reports.
- Research and formulate practical short and long term remediations for vulnerabilities.
- Effectively communicate findings and strategy to business stakeholders, including technical and executive leadership.
- Work closely with development teams to ensure closing of remediated vulnerabilities until deployed to production.
- Ability to maintain and develop dashboards to track the status of security vulnerabilities.
- Follow up on the overdue vulnerabilities to meet the compliance requirements.
- Good to have security certifications: GIAC Web Application Penetration Tester (GWAPT), GIAC Penetration Tester (GPEN), Licensed Penetration Tester (LPT), Certified Ethical Hacker (CEH), OSCP or OCWE, etc.
- Active team player with interpersonal, collaborative, and consultative skills.
- Strong, clear, and concise verbal and written communication skills
- Ability to adapt, reprioritize project work, and help drive the team's focus as priorities shift or requirements change
Application Penetration Tester
The Chubb Information Security team is responsible for protecting information and information systems against unauthorized access, detecting, and responding to attempts to gain access and enabling access through our identity processes. Chubb operates a global information security team supporting local business units across five regions (Asia Pacific, North America, Latin America, Japan, and Europe including the Middle East and Africa). Our global information security strategy is developed with input from each of these regions and translated into programs that are then executed by the regions using resources from each region (especially, our infrastructure partners).
The Application Vulnerability Management team is tasked with identifying security vulnerabilities in Chubb applications, using both automated scanning tools and manual penetration testing activities.
The Application Penetration Tester role is specifically responsible for the overall vulnerability remediation status of the global application portfolio. This includes engaging directly with application development teams and their management to address topics related to application vulnerabilities and remediation efforts, such as reporting on scan results, managing remediation plans, and receiving updates from development teams.
The candidate will be required to maintain accurate vulnerability remediation metrics and help provide regular reports to IT leadership on global remediation progress.
The role will evolve to include management of global application risk rating, an existing process which is being reviewed for modification to support security architecture initiatives.
Primary Responsibilities
- Manage the overall vulnerability remediation status of the global application portfolio.
- Primary point of contact with IT application development teams for remediation related matters
- Accurately track vulnerability remediation efforts
- Hold regular status calls with portfolio leads as necessary to maintain a consistent channel of communication.
- Follow up on overdue vulnerabilities with portfolio leads.
- Manage global application risk rating processes.
- Ensure timely risk scoring of new and changing applications.
- Ensure enterprise application repository information is up to date with security and risk information.
- Create and distribute regular vulnerability status reports to portfolio leads and CIOs.
- Provide recommendations for automation or other process improvement suggestions for operational processes.
Minimum Qualifications:
- Prior experience with managing Information Security projects
- Bachelor’s degree in computer science, Engineering, or other Engineering or Technical discipline or equivalent relevant experience
- Minimum of 2 years’ professional experience performing web application pen testing, API endpoint testing and, mobile penetration testing (IOS & Android).
- Knowledge with prioritizing remediation activities with operational teams through risk ratings of vulnerabilities and assets
- Knowledge of industry standards regarding vulnerability management including Common Vulnerabilities and Exposures (CVE) and Common Vulnerability Scoring System (CVSS)
- Knowledge of technology and security topics including network security, wireless security, application security, infrastructure hardening and security baselines, web server and database security
- Knowledge of penetration testing principles, tools, and techniques.
- Working experience with industry frameworks (OWASP, NIST, etc.)
- Comfortable working outside their comfort zone with a willingness to learn.
- Excellent verbal and written communication skills
- Strong analytical skills
- Strong team player with ability to work independently.
- Strong project management skills and ability to multi-task
- Self-motivated with strong initiative
- Knowledge of computer networking concepts and protocols, and application security methodologies
- Skill in performing impact/risk assessments.
Requirements:
- Good understanding of secure SDLC, data protection, information security principles and exploit/ attack techniques.
- Familiar with all basic concepts related to networking, applications, operating system functionality and be able to apply application logic manipulation, bypassing security controls and exploit development.
- Assist with scoping engagements, leading from kickoff through remediation, and track vulnerabilities as per timelines.
- Improve operational efficiency by building and evaluating workflow processes, procedures, checklists, automation, and tooling.
- Security testing tools including Kali Linux, Metasploit, Nmap, Burp Suite, OWASP ZAP Proxy, Santoku, MSF, GenyMotion, Appie, APK tool, JD-GUI, SQL Map, etc.
- Skilled in identifying OWASP TOP 10 (Web & Mobile) vulnerabilities.
- Develop secure coding checklist to applications based on OWASP ASVS (Application Security Verification Standards).
- Lead and execute security assessments to identify business risk, likelihood and impact an attacker may have on the system due to bad coding errors and weak or missing security controls.
- Experience with conducting reverse engineering on mobile applications, identifying hard coded passwords, SQLi and key chain distributions including applications with anti-emulator and obfuscation protections.
- Experience conducting full-scope assessments and penetration tests including - social engineering, reverse engineering, server & client-side attacks and web & mobile application exploitation.
- Identify and prioritize key risk areas balancing the business risk and cyber threats.
- Code analysis for control flow, bypass application logics and security flaws.
- Utilize attacker tools, tactics, and procedures used to perform analysis and identify vulnerabilities.
- Validate security weaknesses, research new attack techniques, develop custom scripts, exploits, tools, and methodologies to enhance penetration testing processes etc.
- Identify and demonstrate vulnerabilities that may be used by an adversary to exploit components of the target systems.
- Analyze security findings, including risk analysis and root cause analysis.
- Risk rate the vulnerabilities based on actual impact to the business.
- Ability to document security weaknesses, including steps to reproduce and explain technical details in a concise, understandable manner.
- Develop comprehensive and accurate security penetration reports.
- Research and formulate practical short and long term remediations for vulnerabilities.
- Effectively communicate findings and strategy to business stakeholders, including technical and executive leadership.
- Work closely with development teams to ensure closing of remediated vulnerabilities until deployed to production.
- Ability to maintain and develop dashboards to track the status of security vulnerabilities.
- Follow up on the overdue vulnerabilities to meet the compliance requirements.
- Good to have security certifications: GIAC Web Application Penetration Tester (GWAPT), GIAC Penetration Tester (GPEN), Licensed Penetration Tester (LPT), Certified Ethical Hacker (CEH), OSCP or OCWE, etc.
- Active team player with interpersonal, collaborative, and consultative skills.
- Strong, clear, and concise verbal and written communication skills
- Ability to adapt, reprioritize project work, and help drive the team's focus as priorities shift or requirements change.
* Salary range is an estimate based on our InfoSec / Cybersecurity Salary Index 💰
Tags: Android APIs Application security Automation Burp Suite CEH Code analysis Compliance Computer Science CVSS Exploit Exploits GIAC GPEN GWAPT iOS Kali Linux Metasploit Network security NIST Nmap OSCP OWASP Pentesting Reverse engineering Risk analysis Risk assessment SDLC Security assessment Security strategy SQL Strategy Vulnerabilities Vulnerability management
Perks/benefits: Team events
More jobs like this
Explore more InfoSec / Cybersecurity career opportunities
Find even more open roles in Ethical Hacking, Pen Testing, Security Engineering, Threat Research, Vulnerability Management, Cryptography, Digital Forensics and Cyber Security in general - ordered by popularity of job title or skills, toolset and products used - below.
- Open Senior Product Security Engineer jobs
- Open Information Systems Security Officer (ISSO) jobs
- Open Information Security Specialist jobs
- Open Senior Cyber Security Engineer jobs
- Open Ethical hacker / Pentester H/F jobs
- Open Cyber Security Architect jobs
- Open Cyber Security Specialist jobs
- Open Product Security Engineer jobs
- Open Cybersecurity Analyst jobs
- Open Chief Information Security Officer jobs
- Open Security Specialist jobs
- Open Staff Security Engineer jobs
- Open Manager Pentest H/F jobs
- Open Senior Information Security Analyst jobs
- Open Consultant infrastructure sécurité H/F jobs
- Open Consultant SOC / CERT H/F jobs
- Open IT Security Analyst jobs
- Open Senior Information Security Engineer jobs
- Open Cybersecurity Consultant jobs
- Open Senior Penetration Tester jobs
- Open IT Security Engineer jobs
- Open Security Operations Analyst jobs
- Open Cybersecurity Specialist jobs
- Open Sr. Security Engineer jobs
- Open Security Consultant jobs
- Open CISM-related jobs
- Open Windows-related jobs
- Open Network security-related jobs
- Open Pentesting-related jobs
- Open Agile-related jobs
- Open Application security-related jobs
- Open GCP-related jobs
- Open Vulnerability management-related jobs
- Open ISO 27001-related jobs
- Open Threat intelligence-related jobs
- Open CISA-related jobs
- Open Analytics-related jobs
- Open IAM-related jobs
- Open Security assessment-related jobs
- Open Malware-related jobs
- Open Java-related jobs
- Open APIs-related jobs
- Open Security Clearance-related jobs
- Open Forensics-related jobs
- Open SaaS-related jobs
- Open CEH-related jobs
- Open EDR-related jobs
- Open DevOps-related jobs
- Open IDS-related jobs
- Open DoD-related jobs