Our Partners thrive The H-E-B Way. As a Lead Penetration Tester, you would have a...
HEART FOR PEOPLE ... you have a passion for mentorship and guidance, and love for the direct person-to-person interactions that create strong bonds between teams
HEAD FOR BUSINESS ... you have an ownership mentality and a consistent track record of timely delivery of high-quality software
PASSION FOR RESULTS ... the ability to guide the discussion, remove roadblocks, and provide guardrails for your team as they identify challenges and propose solutions
As a Lead Penetration Tester, you will provide consultative performing reviews of system architecture documentation; creation of the scope of work for engagements, conduct security testing engagements on scoped assets, systems, processes, and/or employees; mentor other team members with lesser subject matter expertise.
ROLE

• Works with Digital Compliance, Internal Audit, Business teams, and internal and external penetration testing vendors to scope configure and validate solutions to support penetration testing.
• Perform network penetration, web and mobile application testing, source code reviews, threat analysis, wireless network assessments, and social-engineering assessments to identify and/or validate vulnerabilities and attack chains
• Develop comprehensive and accurate reports and presentations for both technical and executive audiences
• Works with business teams to identify remediation solutions to security findings.
• Builds and maintains pen testing vendor partnerships to further H-E-B's mission and goals.
• Researches and remains up to date with emerging threats and Threat Emulation methodologies. Maintains current knowledge of industry trends and standards in information security.
• Responsible for continued personal growth in the areas of technology, business knowledge, and H-E-B policies and platforms.
• Develops and documents standards and best practices.
• Design, develop, document, optimize, automate, and implement Windows, Linux, virtual lab environments, virtual and cloud solutions that support penetration testing.

REQUIRED

• 5+ years direct or equivalent experience in areas of penetration testing (web application, host, network), exploit development, fuzzing and designing countermeasures to identified security vulnerabilities/risks
• Knowledge of attack surfaces in web technologies, networks, modern applications (microservices/containers), and operating systems; and should demonstrate the ability to analyze closed source applications using several off-the-shelf or custom developed tools
• Experience with tools such as: Kali Linux, Metasploit, Burp suite, Cobalt Strike, Tenable Nessus, Web Inspect, IDA PRO, Wireshark.
• Experience with scripting and development languages (e.g., Bash, PowerShell, Python, Perl, Ruby, PHP, C/C++, C#, Java, etc.)
• Experience with Windows, Linux and cloud environment testing.
• Working knowledge of information systems security standards/practices (e.g., access control and system hardening, system audit and log file monitoring, security policies, and incident handling).
• Must be detail-oriented and possess strong problem-solving skills and ability to analyze for potential future issues.
• Demonstrate a high level of communication skills, verbal and written.
• Experience with assessing APT threats, Penetration Testing, Vulnerability Management, attack methodologies, forensics analysis techniques, malware analysis, attack surface comprehension, Cyber Threat Emulation operations, Cyber Advanced Threat Emulation Team operations and research, identification, and/or verification of new APT TTPs.
• Fundamental understanding of security knowledge of testing mobile, native applications, web applications, distributed and database systems.

RECOMMENDED

• A Bachelor's degree in Computer Science.
• One or more professional security certifications such as CISA, CEH, GIAC, GSEC, OSCP or CISSP (or equivalent experience).
• Demonstrated experience of "hands on" security knowledge and offensive security experience on the following platforms: Windows in a large Active Directory environment, Ubuntu/Redhat and other Linux distributions, AIX and other Unix variants preferred
• Offensive security experience in AWS/Azure or certifications in Cloud technologies.
• Experience in the exploitation of containerization/orchestration technologies (Docker, Kubernetes, Podman, etc.)
• Experience with testing APIs and integration techniques
• Working understanding of security assessment frameworks such as PCI, HIPAA, GDPR, etc.
• Experience developing Red Team applications, tools and infrastructure (e.g., implants, exploits, C2, etc.)

*** Position locations open to San Antonio, TX, Dallas, TX, Houston, TX and Austin, TX areas
ISSEC3232