Associate Penetration Tester

Position Summary

Claranet Cyber Security is a world class business unit within Claranet, designed to give customers access to market-leading information security expertise and services spanning; penetration testing, compliance consulting, training and managed services.

The primary function of the Penetration Tester in the CST team is to continually review the customers’ defined scope for vulnerabilities, identify additional targets that should be included in the scope, and report these to the client in a timely, accurate, and comprehensive manner. The Penetration Tester is also responsible for pre-engagement activities including scoping, statements of work, working with customers to determine their testing requirements and restrictions, on boarding customers into the service and contribute to the service improvement and further development.

To provide the best services to our clients, we need the best people working with us. With outstanding support from the business, all of our penetration testers will gain the experience needed to become the best they can be.

Our team is growing, and we need inspiring people to join us at all levels and help us to continue building a world leading cyber security operation whilst benefiting from a truly unique opportunity to fulfil their potential.

Essential duties & responsibilities

The Continuous Security Testing service is a consultant led vulnerability identification and verification service which makes use of automated vulnerability scanning along with significant manual testing against a broad scope in a continuing engagement. The purpose of the service is to continually monitor a customer’s external attack surface for new vulnerabilities, changes in the scope of the attack surface, and proactively inform customers of discovered issues along with recommended remediation; with the overall aim of reducing the lifetime of each vulnerability. Manual testing includes identification of issues which automation alone could not identify, exploitation of all issues, often chaining multiple findings together in order to determine the true impact of vulnerabilities for the customer.

Key Responsibilities:

• Manual identification and exploitation of vulnerabilities.
  
  
• Manual verification and exploitation of scanner findings.
  
  
• Detailed analysis of issues identified and exposure for the customer including proof of concept, reproduction steps, and recommended remediation.
  
  
• Communication of findings to the customer in a detailed, accurate and manageable manner both orally and through written vulnerability/scope notifications and periodic summaries.
  
  
• Continual professional development to maintain and develop knowledge and technical competencies.
  
  
• Maintain professional technical qualifications to demonstrate competency to our clients.
  
  
• Undertaking projects and support tasks as appropriate to the role.
  
  Progression:
  
  During mentoring and experience progression, the Associate Penetration Tester will be tasked with:
  
  
• Pre-engagement activities including scoping of assessments and statements of work and determining customer requirements and restrictions.
  
  
• Onboarding customers into the service including configuration of continual scanning and liaising with customer to resolve issues which may reduce the effectiveness of scanning.
  
  
• Monitoring of the customers’ external perimeter for changes, and proactive discovery of new targets to include within the customer’s scope.
  
  Essential Technical Skills
  
  
• Core computing skills including but not limited to: Networking fundamentals – understanding of OSI Model, TCP/IP, HTTP, DNS, SMB, SMTP and relevant tools.
  
  
• Microsoft Windows and Office proficiency along with proficiency in one or more Linux distributions.
  
  
• Good knowledge of web application technologies and security assessment including but not limited to: REST APIs, SOAP APIs, XML and JSON formats, Vulnerability identification and exploitation (not limited to OWASP Top 10) and Experience with common assessment tools such as MITM proxies (e.g. Burp Suite Pro) and SQLMap.
  
  
• Good knowledge of internal and external infrastructure technologies and security assessment including but not limited to: Identification and exploitation of misconfigurations or known vulnerabilities in common enterprise infrastructure and services (Windows Domains, Linux servers, virtualisation, databases, switches/routers, etc) and Windows and Linux Sandbox/Desktop Breakout.
  
  
• Knowledge of a scripting language such as Python (preferred), Ruby, PowerShell, or Bash, for the development of new, or editing existing, tools.
  
  Essential General Skills
  
  
• Must be self-motivated and able to work in an independent manner as well as part of a team
  
  
• Excellent written and oral communications skills
  
  
• Positive, collaborative and enthusiastic
  
  
• Appetite to shadow, train and develop to improve capabilities into all areas of security testing
  
  In addition, the following are highly desirable:
  
  
• CPSA - CREST Practitioner Security Analyst (or above)
  
  
• Public speaking experience
  
  
• A related Bachelor’s degree
  
  
• Experience with live bug bounties, particularly where automation has been implemented
  
  
• Knowledge of Open Source Intelligence gathering techniques. Including but not limited to use of Google dorks, DNS, domain registration, certificate transparency, and other public sources of information