In general, the following activities are expected to be executed by the new team member:
- Hands on penetration testing
- Development of helper security verification tools
- Performing security design reviews of web applications, network/cloud deployments
- Security code reviews of web applications and/or web APIs
- Writing clear vulnerability reports and provide guidance to the development teams on fixing the security issues
- Documentation of knowledge and findings in the form of guidelines, checklists and examples to be used by development teams
- Own the project from the beginning to the end
Profile
The candidate needs to have the following qualifications:
- Strong hands-on penetration skills
- Deep knowledge of web technologies (HTML5, Java, JavaScript, Tomcat, etc.)
- Deep knowledge of application security mechanisms such as authentication and authorization techniques, data validation, output sanitization/encoding and proper use of encryption
- Excellent understanding of web applications, web browsers, web servers and frameworks
- Experience with common penetration testing tools, including Burp Suite, Nessus, sqlmap, Nmap, Wireshark
- Good knowledge of network protocols and network protection techniques (firewalls, filtering, other) and methods for bypassing them
- Deep knowledge of web service technologies such as: WebSockets, SOAP, REST, JSON, XML, etc., as well as deep knowledge of WebService security schemes: OAuth, SAML, etc.
- Good working knowledge of at least one of these scripting languages or frameworks: Python, Ruby, NodeJS, PHP
- Working knowledge of basic cryptographic principles: symmetric/asymmetric encryption, PKI, etc.
- Experience with fuzzing and security code review
- Knowledge of multiple RDBMS systems: MySQL , PostgreSQL, ORACLE, etc.
- Excellent analytical skills and ability to think out of the box
- Experience with both Linux and Windows OS
- Strong command of English
- Good communication and writing skills
Experience in the following topics is desirable:
- Experience with AWS (including serverless architectures), GCP, MS Azure
- Mobile application security