Center for Internet Security, Inc.

Senior Penetration Tester - Remote

Job Locations US
ID
2022-1713
Category
Cybersecurity Operations
Type
Regular Full-Time
Remote?
Yes

Overview

As the Senior Penetration Tester, you will be a subject matter expert in conducting vulnerability and security assessments, to include penetration tests, of both internal CIS networks and State, Local, Tribal, and Territorial (SLTT) government networks and systems. This is a hybrid position that will split responsibilities between Operations and Security Services (OSS) and the CIS Information Security Office (ISO).

 

The Center for Internet Security (CIS) makes the connected world a safer place for people, businesses, and governments through our core competencies of collaboration and innovation. We are a community-driven nonprofit responsible for industry leading best practices for securing IT systems and data. We lead a global community of IT professionals to continuously evolve these standards and provide products and services to proactively safeguard against emerging threats.

What You'll Do

  • Co-lead vulnerability scanning and penetration testing for internal CIS networks and SLTT organizations
  • Represent CIS in assessment-related engagements, to include introductory meetings, planning and scoping engagements, and post-assessment debriefs
  • Build and maintain successful relationships with internal CIS teams as well as existing and prospective MS-/EI-ISAC members
  • Create detailed, easy to read, and actionable reports of assessment activity for consumption by internal and external organizations
  • Develop and implement tools for penetration testing and early warning of weaknesses or possible incidents building on methodologies as promulgated by CIS, NIST, etc.
  • Configure, manage, and maintain security testing platforms and tools
  • Create, manage, and continually improve procedures for security testing
  • Perform penetration testing against internal- and external-facing applications
  • Assist in driving internal purple team assessments on key resources and applications
  • Assist in the development of threat models for CIS applications
  • Perform proactive research to detect new attack vectors and critical vulnerabilities; work with CIS operational teams, specifically the Cyber Threat Intelligence (CTI) team, to provide early warning communications to SLTT members with recommendations to facilitate proactive defense
  • Correctly balance security risk and product advancement
  • Assist in training and mentoring other team members
  • Assist with improvements to policies, procedures, technologies, tools, techniques, and operational efficiencies
  • Other tasks and responsibilities as assigned

What You'll Need

  • Bachelor’s degree in a related field*
  • 3+ years of experience in penetration testing and vulnerability assessments
  • Experience with vulnerability scanning tools such as Nessus, Qualys, Nexpose, etc.
  • Experience with web application and penetration testing tools such as Metasploit, BurpSuite, ZAP, etc.
  • Ability to maintain strict confidentiality
  • The position is open to U.S. citizens and requires a favorably adjudicated DHS Fitness Review for Public Trust Positions.**
  • Must be authorized to work in the United States

It's a Plus if You Have:

  • Certifications in related areas (GPEN, OSCP, GXPN, etc.)
  • Secure web app design, cryptography and key material handling, authentication mechanisms such as OAUTH, SAML or OpenID, sensitive data protection, SDLC integration (fuzzing tests, static and dynamic code analysis)
  • Experienced in the use of source code scanners and the ability to manually validate findings/eliminate false positives
  • Familiar with the use of various manual and dynamic application vulnerability testing suites
  • Ability to detect, define, exploit, and remediate OWASP top 10 vulnerabilities without the use of a vulnerability scanner
  • Proficiency with scripting languages (e.g., Python, Bash, PowerShell)
  • Red Team or Purple Team experience
  • Knowledge of CIS Controls, NIST standards, and SOC 2 compliance

*Additional years of relevant experience or a combination of an Associate’s degree or equivalent and relevant experience may be substituted for the Bachelor’s degree.

 

**Factors that may cause a negative Fitness Review decision include:

  • Criminal Conduct
  • Dishonest Conduct
  • Employment Misconduct
  • Alcohol Abuse
  • Drug Use (illegal drug use or use of a legal drug in a manner that deviates from approved medical direction) Additionally, illegal drug use includes the use of drugs that are illegal for federal purposes despite being legal in select states and countries, such as marijuana.)
  • False Statements
  • Financial Issues
  • Have not resided in the US for three (3) of the past five (5) years

At CIS, we are committed to providing an inclusive environment in which the diverse backgrounds, experiences, and views of our employees, members, and customers are valued and respected. It is through this commitment that we are able to work together towards our common mission: to make the connected world a safer place.

Options

Sorry the Share function is not working properly at this moment. Please refresh the page and try again later.
Share on your newsfeed