Senior Penetration Tester

Job DescriptionJob Description

POSITION SUMMARY:

CODICE seeks a highly skilled Senior Penetration Tester to join our cybersecurity team. This role is crucial in ensuring the security and compliance of our systems through regular and ad-hoc penetration testing. The ideal candidate will be an expert in building and executing vulnerability assessment and penetration testing programs, with specific expertise in Ruby and the Ruby on Rails framework. This position reports to the Chief Information Security Officer (CISO) and plays a vital role in maintaining our organization's security posture.

ESSENTIAL FUNCTIONS

Duties and Responsibilities

• • Conduct regular and ad-hoc penetration tests on our systems, networks, and applications to identify security vulnerabilities and weaknesses.
  • Design, build, and maintain a comprehensive vulnerability assessment and penetration testing program.
  • Perform in-depth security assessments of Ruby on Rails applications, leveraging expert knowledge of the framework and its security implications.
  • Utilize a wide range of penetration testing tools and techniques to simulate real-world attacks and identify potential security breaches.
  • Analyze test results and provide detailed reports on findings, including severity assessments and remediation recommendations.
  • Work closely with development and operations teams to explain vulnerabilities and assist in implementing effective security controls.
  • Conduct security assessments of cloud environments, particularly AWS, addressing their specific security challenges.
  • Develop and maintain custom scripts and tools to enhance and automate the penetration testing process.
  • Stay current with the latest security threats, vulnerabilities, and exploitation techniques.
  • Participate in the development and improvement of security policies, standards, and best practices.
  • Provide expert guidance on secure coding practices, particularly for Ruby and Ruby on Rails applications.
  • Collaborate with the CISO and other security team members to continuously improve the organization's overall security posture.
  • Conduct post-exploitation analysis to determine the potential impact of identified vulnerabilities.
  • Assist in incident response activities when necessary, leveraging penetration testing skills to understand and mitigate threats

Knowledge, Skills and Abilities

Technical Skills

• Programming Languages
• Demonstrated proficiency in:
  • Python: Ability to write complex scripts for automation and exploitation
  • Ruby: Expert-level knowledge, including in-depth understanding of Ruby on Rails framework and its security implications
  • Perl: Familiarity with Perl scripting for text processing and system administration tasks
  • C: Understanding of low-level programming and memory management
  • C++: Knowledge of object-oriented programming and its application in security testing

• Scripting Skills
• Demonstrated expertise in:
  • Bash: Ability to create advanced shell scripts for automation and system interaction
  • PowerShell: Proficiency in writing scripts for Windows environment penetration testing
  • JavaScript: Capability to analyze and exploit client-side vulnerabilities
• Operating Systems
• Demonstrated expert knowledge of:
  • Windows: In-depth understanding of Windows architecture, services, and security mechanisms
  • Linux: Proficiency in various distributions, command-line operations, and system administration
  • Unix: Familiarity with Unix-based systems and their specific security considerations
• Network Protocols
• Demonstrated expert understanding of:
  • TCP/IP: Comprehensive knowledge of the TCP/IP stack and related protocols
  • UDP: Understanding of stateless communication and its security implications
  • DNS: Familiarity with DNS structure, record types, and common attack vectors
  • HTTP/S: In-depth knowledge of web protocols, including headers, methods, and secure communication
  • FTP: Understanding of file transfer protocols and associated vulnerabilities
  • SMTP: Familiarity with email protocols and related security issues
• Penetration Testing Tools
• Demonstrated proficiency with:
  • Metasploit: Advanced usage for exploitation and post-exploitation activities
  • Burp Suite: Expert-level use for web application security testing
  • Nmap: Proficiency in network discovery and security auditing
  • Wireshark: Advanced packet analysis and network traffic inspection
  • Nessus: Skill in vulnerability scanning and assessment
  • OpenVAS: Familiarity with open-source vulnerability scanning
• Vulnerability Identification and Exploitation
• Demonstrated expertise in:
  • SQL Injection: Advanced techniques for identifying and exploiting database vulnerabilities
  • Cross-Site Scripting (XSS): Proficiency in detecting and exploiting various types of XSS
  • Cross-Site Request Forgery (CSRF): Understanding of CSRF mechanics and exploitation
  • Buffer Overflows: Knowledge of memory corruption vulnerabilities and exploitation techniques
• Demonstrated knowledge of
• Advanced Exploitation Techniques: Familiarity with privilege escalation, pivoting, and lateral movement
• Post-Exploitation Methodologies: Understanding of maintaining access, data exfiltration, and covering tracks
• Cloud Security
• Demonstrated expertise with:
  • AWS: In-depth knowledge of AWS services and their security implications
  • Cloud-Specific Security Challenges: Understanding of shared responsibility models, misconfigurations, and cloud-native vulnerabilities
  • Proficiency in:
    • Cloud Security Tools: Experience with tools designed for cloud environment penetration testing
    • Cloud Penetration Testing Techniques: Familiarity with methodologies specific to cloud infrastructure testing
• Web Application Security Skills and Experience
• Web Application Vulnerabilities
• Demonstrated expertise of:
  • OWASP Top Ten: Comprehensive understanding of the most critical web application security risks
  • Other Common Vulnerabilities: Familiarity with issues like insecure deserialization, XML external entities (XXE), server-side request forgery (SSRF)
  • Web Application and API Testing

Demonstrated expertise in:

• • • Manual Testing Techniques: Proficiency in hands-on discovery and exploitation of web vulnerabilities
    • Automated Testing Tools: Experience with web application scanners and API testing tools
    • API Security: Understanding of REST, SOAP, and GraphQL API vulnerabilities and testing methodologies
  • Secure Coding Practices
    • In-depth understanding of secure coding principles, particularly in Ruby on Rails applications
    • Ability to provide actionable recommendations for remediating identified vulnerabilities

QUALIFICATIONS

Required Education:

• Bachelor’s degree in computer science, Information Technology, Cybersecurity, or a related field.

Required Experience:

• Minimum of 8 years of experience in penetration testing and ethical hacking
• Proven track record of successful penetration tests and vulnerability assessments
• Strong analytical and problem-solving skills
• Excellent written and verbal communication skills
• Ability to explain complex technical concepts to both technical and non-technical stakeholders
• Self-motivated with a passion for continuous learning in cybersecurity
• Strong ethical standards and integrity
• Ability to work independently and as part of a team in a fast-paced environment
• Familiarity with compliance standards (e.g., PCI DSS, HIPAA, SOC 2)
• Understanding of risk assessment methodologies
• Experience with writing detailed, actionable penetration testing reports
• Knowledge of secure development practices and SDLC integration

Required Licensure/ Certification:

Relevant industry certifications such as:

• Offensive Security Certified Professional (OSCP)
• Certified Ethical Hacker (CEH)
• GIAC Penetration Tester (GPEN)
• Other equivalent certifications demonstrating advanced penetration testing skills

Preferred Education:

Master’s degree in computer science, Information Technology, or a related field

Company DescriptionCODICE provides innovative solutions in health information management for the full lifecycle of healthcare finance and compliance operations. Our customized knowledge-based software helps manage healthcare costs.

At the heart of CODICE services are our technology competencies. Paired with our unparalleled process methods, these competencies deliver solutions and results that become an integral part of our clients success. CODICE's technical expertise can be leveraged for full system development, project management or staff augmentation. CODICE areas of expertise include:

SYSTEM DEVELOPMENT: Fully customized development from requirements to testing.

ENTERPRISE CONTENT MANAGEMENT: System implementations for content management, digital assets, web content and record keeping.

SYSTEM INTEGRATION: Expert integrations using open standards, APIs, and a comprehensive toolkit to seamlessly link applications.

DATA WAREHOUSING & BUSINESS INTELLIGENCE: Data collection and analysis from multiple sources into a single access point portal that provides tools for key business functions.Company DescriptionCODICE provides innovative solutions in health information management for the full lifecycle of healthcare finance and compliance operations. Our customized knowledge-based software helps manage healthcare costs.\r
\r
At the heart of CODICE services are our technology competencies. Paired with our unparalleled process methods, these competencies deliver solutions and results that become an integral part of our clients success. CODICE's technical expertise can be leveraged for full system development, project management or staff augmentation. CODICE areas of expertise include: \r
\r
SYSTEM DEVELOPMENT: Fully customized development from requirements to testing. \r
\r
ENTERPRISE CONTENT MANAGEMENT: System implementations for content management, digital assets, web content and record keeping. \r
\r
SYSTEM INTEGRATION: Expert integrations using open standards, APIs, and a comprehensive toolkit to seamlessly link applications. \r
\r
DATA WAREHOUSING & BUSINESS INTELLIGENCE: Data collection and analysis from multiple sources into a single access point portal that provides tools for key business functions.

---