Security Engineer

Security Engineer / Penetration Tester

Our client provides penetration testing, vulnerability assessments and cyber risk management services to enterprise clients in the Pacific Northwest and throughout the United States. Their team of professionals consistently delivers deep technical services, helping clients solve their toughest security problems. With a growing array of projects, they are seeking an outstanding Security Engineer / Penetration Tester to serve the needs of their valued clients.

In addition to providing challenging and rewarding work, our client provides team members with a flexible, remote work lifestyle and a culture that rewards excellence. The team is comprised of seasoned professionals who love their craft and enjoy the comraderie that comes from being part of a high-performing team.

The Security Engineer / Penetration Tester plays a key role on the team, performing penetration testing and vulnerability assessment work on, and within, client environments. The Security Engineer / Penetration Tester conducts formal tests on a variety of applications, networks, servers, databases, and other technology components to measure an organization s potential susceptibility to compromise. This work often involves innovative thinking to discover vulnerabilities and craft creative exploits not previously considered.

In addition to strong technical skills, the successful candidate for this role must have strong interpersonal skills and be able to communicate complex security topics to technical and leadership teams within client organizations. Key success factors include an eagerness to stay current on the latest vulnerabilities and technology trends, the ability to develop proofs of concept that accurately and effectively demonstrate vulnerabilities discovered, and the ability to communicate detailed technical findings and recommendations clearly both in person and in written form.

Duties and Opportunities:

• Application Security
• Automated Testing using current tools
• Manual Testing
• Source Code review
• Architecture Review
• Threat Modeling
• Cloud / Container Deployment Scenarios
• Full Stack
• Mobile Application Testing
• iOS
• Android
• Network Penetration Testing
• Internal and External
• Automated Vulnerability Detection
• Manual Exploitation and Escalation
• Goal-oriented Methodology
• Perform application and infrastructure penetration tests & vulnerability assessments
• Craft and deploy social engineering/phishing assessments
• Perform security reviews of application designs; source code and deployments as required, covering all types of applications (web application, web services, mobile applications, thick client applications, SaaS)
• Review and define requirements for information security improvements
• Conduct architecture security reviews, application testing, internal vulnerability assessments and external penetration testing modeled after real world attackers (i.e., exploit and pivot)
• Conduct security architecture reviews of the full stack, including applications built on cloud and emerging technologies such as mobile devices
• Conduct manual application security testing and source code auditing for a variety of technologies
• Provide clear, accurate, informative and detailed finding descriptions and remediation guidelines for developers, technical staff, and organizational leaders within Summit client organizations
• Contribute toward the continuous improvement of Summit s security services, including the continuous enhancement of existing testing methodologies, materials, and supporting assets
• Support Summit sales and client engagement efforts by gathering client infrastructure or application details, drafting statements of work, and serving in a pre-sales security engineering capacity
• Other responsibilities include:
• Performing security research on the latest best practices, trends, threats and vulnerabilities, technology frameworks, testing methodology and tools
• Documenting and disseminating security guidelines for common security issues, remediation guidance, and security technology baselines
• Developing custom tools and exploits to support security review and/or penetration testing
• Drafting high-quality articles, white papers, and client-facing communications in an academically rigorous manner
• Other duties as assigned

Key Qualifications:

• Experience manually testing web applications
• Enterprise level penetration testing including both internal and external environments
• Experience with a variety of scripting, programming, and markup languages, such as Python, C, C++, Java, PHP, SQL, Scheme, ML, HTML/XHTML, UNIX shell scripting, JavaScript, CSS, Ruby, XML, XSLT, Perl, Lisp, .NET (C#/ASP), Assembly (RISC/CISC), etc.
• Deployment/DevOps technologies such as visual studio, git, kubernetes, docker, puppet, chef
• Proficiency in Windows, Linux, and common IT systems, technologies and toolsets
• Ability to explain networking concepts (Routing, ACL, Load Balancers, Firewalls, VPNs, SSL/TLS, TCP) in order to assess and provide application architecture feedback to clients
• Background in web application development and/or code testing strongly preferred
• Strong verbal, written, and in-person communication and presentation skills
• Passion for discovering and researching new vulnerabilities and exploitation techniques
• Application development background and security knowledge example of languages include C, C#, C++, Java, J2EE, .NET
• Vulnerability and threat management experience
• Experience with various security tools and products (Fortify, AppScan, Metasploit, SAINT, Nessus, nmap, Wireshark, Burp Proxy, NeXpose, Snort, etc.)
• Good understanding of the components of a secure DLC/SDLC
• Vulnerability analysis debugging and reverse engineering skills
• Understanding of cryptography principles as they apply to data confidentiality and data integrity and source code level identification of cryptography misuse.
• Ability to adapt to client needs and quickly learn new technologies
• Desire to perfect your craft and become an expert in the field of technical security assessments and penetration tests
• Desire to be part of, learn from, and make significant contributions to, a high-performance team of information security professionals
• Reliability; provide dependable and accurate work product, follow-through, and communication, both internally and to clients
• Drive and initiative to tackle new tasks and see them through to completion
• Receptive and teachable for training on new skills, content, and technology. Able to effectively train others in same and related skills and modalities.
• Ability to work effectively in a remote/virtual office environment and at client locations as needed
• Ability to travel approximately 10% of the time as needed

Education & Experience

• BS in Computer Engineering or Computer Science with specialization in Information Security; Master s degree preferred.
• At least three years of hands-on information security experience in large, enterprise environments.

Senior Security Engineer

All of the above plus:

• At least two additional years of hands-on information security penetration testing experience in large, enterprise environments.
• Expert level proficiency in the Key Qualifications noted above.
• Demonstrated success managing security assessment engagements from pre-sales client contact through final report deliverable and knowledge transfer.
• Demonstrated ability to take an academically rigorous approach to solving clients unique security challenges.

Job Purpose
The Software Engineer analyzes requirements and designs, codes, tests, installs and maintains application systems, programs, functions, services and other related software components in response to enterprise needs of moderate to high complexity.

Basic Qualifications Required - Experience, Skills, and Knowledge
Education: Degree in computer science, math, or other technology. Previous Experience: Must have 2-4 years experience as a software engineer Skills Java, XML, JSON, XSLT, JSP, Servlets, HTML, Javascript, CSS, JQuery, Bootstrap, Angular, Spring framework, SAML, REST, Soap, Tomcat, Websphere, SQL Server or other RDBMS, JavaServer pages (JSP) and servlets, Service-oriented architecture/web services, Object-oriented programming (OOP) concepts and patterns.

Primary Job Accountabilities/ Responsibilities
Analyze requirements and design solutions for approved projects and change requests of moderate to high complexity and risk (10%)
Gather, organize and document data and requirements from various stakeholders and constituencies according to given direction and standards
Participate in design consultations with hardware and software technicians
Develop, document and present design solutions and supporting rationale
Prepare and obtain approval of estimates of work effort and duration for assigned tasks
Participate in the preparation of product vision and project documentation

Design/develop system, application and program code according to business and technical requirements (30%)
Identify and recommend software and infrastructure components required to implement technical solutions
Identify and recommend solution objects, functions, interfaces, dependencies, and integration points
Prepare design documentation; submit for design review
Convert basic specifications into equivalent infrastructure and application software structures.
Code and unit test independently or as part of a development team
Submit software products for review of compliance with best practices, standards and enterprise architecture (code review)

Participate in quality assurance and testing to achieve quality objectives (20%)
Review established quality requirements and measurement metrics
Participate in quality assurance and testing activities according to planned schedules
Learn, use and gain experience with testing tools and techniques
Perform technical support activities required for execution of test plans
Perform root cause analysis and defect correction as indicated by test results
Evaluate outcomes, report results and document findings according to current standards
Implement solutions (10%)
Adhere to change management requirements for application and system implementations
Analyze conditions, consult with experienced personnel and propose strategies that minimize implementation risk and/or improve system reliability and performance
Prepare change and Help Desk documentation according to implementation requirements
Provide for disaster recovery and back-out mechanisms as directed
Perform software implementation activities as directed and according to current standards and policies
Monitor implementations and respond appropriately and as directed in the event of disruptive impacts
Provide system support (20%)
Learn and enhance knowledge of the various multi-platform system support environments, utilities and procedures
Participate in on-call rotations
Provide timely, concise communication of incident status to appropriate personnel
Document incident occurrence and resolution(s) applied using designated repositories
Consult with staff personnel as required for effective incident resolution
Resolve development and support issues of moderate to high complexity or risk

Maintain and enhance knowledge of the business operations and strategic imperatives of (10%)
Periodically review business goals and operational and strategic objectives
Learn the key components and relationships of products, distribution channels, and customer base
Create and sustain open communication with business application users and stakeholders
Adhere to the Core Principles; pursue achievement of excellence in Core Competencies
Know the critical success factors supporting the Core Purpose, Mission, Goals and Strategy