IBM Security Consultant - Penetration Testing 

India, Karnataka, Bengaluru 

328929699

Key responsibilities

• Plan the penetration test
• Select, design and create appropriate tools for testing
• Perform the penetration test on computer systems, networks, web-based and mobile applications
• Document your methodologies, findings
• Gather the data intelligence not only from the output of the automated penetration tools but also from information gathered from interaction with product teams , previous results , threat model and source code scanning inputs.
• Review your findings and feedback to development teams
• Analyse the outcomes and make recommendations for security improvements
• Carry out application, network, systems and infrastructure penetration tests
• Review physical security and perform social engineering tests where appropriate
• Evaluate and select from a range of penetration testing tools
• Keep up to date with latest testing and ethical hacking methods
• Deploy the testing methodology and collect data
• Report on findings to a range of stakeholders
• Make suggestions for security improvements
• Enhance existing methodology material

Required Technical and Professional Expertise

• Experience – 4 to 8 years in Cybersecurity
• Web Application Testing
• Basic understanding of HTTP Protocol
• HTTP Methods, Request/Response Headers, Cookies, TCP/IP connections over HTTP etc.
• Basic understanding of HTML/JavaScript
• Good Understanding of security vulnerabilities, OWASP Top 10 vulnerabilities

Automated Testing

• Must have knowledge of at least one of IBM AppScan OR BurpSuite scanner. (Good to have knowledge of both the tools.)
• Should be able to configure automated scanner (such as Login sequence, manually exploring critical flaws, Policy customization, scan throttling, etc…) to perform successful scan.
• Assessment of scanner results and intelligently identifying false positives from the scan results.
• Knowledge of Burp features mainly, Spider, Intruder, Scanner, Repeater and Extender.

Manual Testing.

• Should be able to understand the above mentioned OWASP Top 10 categories to perform manual testing.
• Flaws like, Authentication (session management) testing, CSRF, business logic testing which are not detected by an automated scanner must be identified using manual testing.
• Understanding of the workflow of the application and identifying the entry points to detect possible vulnerabilities.

Preferred Technical and Professional Expertise

• Webservice Testing
• SOAP/REST APIs testing.
• Configuring cURL commands and POSTMAN tool to capture the request in automated scanner.

Network Testing

• Basic understanding of networking protocols such as TCP, UDP, DNS, DHCP etc.
• Basic understanding of network devices like router, switches, firewall/IDS/IPS etc..
• Network scanning tools such as Nessus, Nmap, Metasploit etc.
• Exploitation and Post Exploitation of network vulnerabilities.
• Threat Model and Source code security scanning
• Perform/Participate in threat model creation/design or review
• Perform source code security scanning using (SAST) tools like IBM AppScan, Contrast and other popular open-source tools.

Security Certifications

• Any of the security certifications such as CEH, ECSA, EWPT, EWPTX, OSCP, GPEN, GWAPT etc