Manual Ethical Hacker (MEH) Specialist, Global Information Security
Full time
at Bank of America Corporation
in
Online
Posted on March 30, 2024
Job details
Your background Skills:
- Experience in conducting vulnerability assessments, code reviews and penetration tests against web/mobile application technologies, services, platforms and languages to find flaws and exploits (e.g. SQL Injection, Cross-Site Scripting, Cross-Site Request Forgery, Remote Code Execution, Authentication/Authorization, Privilege Escalation, Business Logic Bypass, etc.)
- Experience in conducting Threat Modeling
- Knowledge of network and Web related protocols/technologies
- Experience with web application vulnerability scanning tools (e.g. IBM AppScan, NetSparker, Burp Suite Pro etc.)
- Experience with vulnerability assessment tools and penetration testing techniques (e.g. web application proxies, packet capture analysis software, browser extensions, advanced penetration testing Linux distributions, static source code analyzers, SoapUI etc.)
- Experience of penetration testing on mobile platforms such as iOS, Android, Windows and RIM.
- Solid programming/debugging skills with proficiency in one or more of the following: Java, JavaScript, HTML, XML, PHP, ASP.NET, AJAX, JSON, Objective-C
- Strong scripting skills (e.g. Python, Perl, Shell script, JavaScript)
- Mobile programming abilities such as Xcode, Objective-C
- Knowledge of a Structured Query Language
- Expert-level experience and very detailed technical knowledge in at least 3 of the following areas: general information security; security engineering; application architecture; authentication and security protocols; application session management; applied cryptography; common communication protocols; mobile frameworks, single sign-on technologies; exploit automation platforms; RESTful web services
- The ability to work independently and as part of a team, in a very large scale, enterprise setting
- Previous experience as an application security professional with a large Financial Institution is a plus
- Intellectually Curious
- Consistently thinks like a threat actor
- Demonstrated ability to learn and apply critical thinking to a variety of situations
- Ability to clearly communicate (written & verbal) business risk associated with a given vulnerability
- Adaptable & Flexible approach to work
- Ability to demonstrate manual web application testing experience
- BS/MS in Computer Science (or relevant work experience in a large scale IT environment)
- Additionally penetration testing specific qualifications would preferably include one or more from the following list:
- CREST Registered Penetration Testers (CRT)
- CREST Certified Web Application Tester
- Offensive Security Certified Professional (OSCP)
- Offensive Security Certified Expert (OSCE)
- Offensive Security Exploitation Expert (OSEE)
- Offensive Security Web Expert (OSWE)
- SANS GIAC Penetration Tester (GPEN)
- SANS GIAC Exploit Researcher and Advanced Penetration Tester (GXPN)
- SANS GIAC Web Application Penetration Tester (GWAPT)
- Certified Ethical Hacker (CEH)
- Understanding the requirements of the applications and how to use them
- Testing applications using a variety of tools to identify vulnerabilities that could expose the Bank to risk
- Monitoring existing and proposed security standard setting groups
- Conducting meetings to communicate the findings and implications to stakeholders
- Performing vulnerability fix verification testing in support of the remediation
- Providing technical support to clients, management and staff throughout risk assessments and the implementation of appropriate data security procedures and products
- Acting as a SME, providing guidance and knowledge to reduce the vulnerabilities and risk when apps are being created
- Sharing knowledge with technical and non-technical colleagues directly and through training sessions
- Ensuring identified risks are managed effectively
- Contributing to the development and enhancement of the control function
- Design and perform tests and check cases to determine if infrastructure components, systems and applications meet confidentiality, integrity, authentication, availability, authorization, and non-repudiation standards.
- Translate requirements into test plan, write and execute test scripts or codes in line with standards and procedures to determine vulnerability to attacks.
- Certify infrastructure components, systems and applications that meet security standards.
Apply safely
To stay safe in your job search, information on common scams and to get free expert advice, we recommend that you visit SAFERjobs, a non-profit, joint industry and law enforcement organization working to combat job scams.