Manila - Application and Product Security I Analyst III

Job Description

Description

All the findings by the Senior Pen Tester will need to be clearly documented and relayed to the design team for mitigation. The Senior Pen Tester will need to be very versatile in their attack vectors and their knowledge of exploits. The ideal candidate will be well experienced in a broad range of attack vectors across a wide spectrum of devices from small, embedded devices to wide and complex cloud ecosystems.

The Senior Pen Tester will be expected to stay current with the latest security threats and attack vectors that can be deployed against the product portfolio. They should also have experience in communicating clearly and concisely the findings of these activities to an audience.

The Senior Pen Tester will be expected to use their knowledge and experience to further develop internal testing processes and procedures.

Responsibilities

In addition to performing internal application and product security assessments the Senior Pen Tester will be expected to support response to possible breaches of security based on newly disclosed information. Other key duties include:

• Conduct security evaluation and threat assessments of embedded systems, mobile applications, web applications
• Conduct research for the purposes of finding new vulnerabilities and enhancing existing capabilities
• Circumventing security protection methods and techniques
• Performing data bus monitoring (snooping) and data injection
• Conduct communications protocol analysis in the embedded products, and applications
• Conduct wireless communications channel snooping, and data injection
• Reverse engineering complex systems and protocols
• Create detailed technical reports and proof of concept code to document findings
• Perform System Breakdown of the project/product before testing, identify and evaluate all the testing requirements and plan out the detailed testing activities, resources etc.
• Proactive detailed interaction with respective engineering group on the testing needs, testing progress/status and provide detailed analysis report
• Have effective Gitlab issue management reviewing and, providing mentorship and direction on planned testing activities for junior resources in line with defined processes and procedures. Assist in leading testing activities in all the regions, provide head-to-head support to Assessment Pillar Manager and help to drive continuous improvement in testing processes and procedures.
• Thorough adherence and follow-up of VERTIV SECURE requirements and Vulnerability Management and Incident Response processes.
• Preference given to other practical skills such as: functional analysis, memory image capture, static memory analysis, and data element extraction, etc.

• Understanding and development experience of embedded systems / software, and web-based applications
• Linux network device driver/data-path performance exposure
• Familiarity with compilers, debuggers, disassemblers, and other low-level development and analysis tools
• Exposure to binary analysis tools such as IDA Pro, WinDbg, BinWalk, Valgrind, PIN, Panda, and S2E
• Working knowledge of hacking tools and techniques such as memory corruption exploits, rootkits, protocol poisoning, browser-based attacks, DNS poisoning, MetaSploit, nmap, Nessus, etc.
• Experience with UNIX kernel internals and low-level Windows internals
• Comfort with reading and understanding of x86 and/or ARM assembly
• Experience with program analysis techniques such as taint analysis, program slicing, symbolic execution, constraint solving, and dynamic instrumentation
• An understanding of common cryptographic algorithms and protocols including their weaknesses and attacks against them
• Ability to extract software/firmware from provided hardware
• Meaningful experience utilizing git (Github or gitlab)
• Understanding of network protocols and experience developing packet-level programs
• Experience with common microcontroller programming tools and debugging interfaces
• Linux network device driver/data-path performance exposure
• Exposure to Layer 2, Layer 3 networking, QoS
• Network and/or application security knowledge (L2/L3 firewall, DPI, IDS, IPS)
• Knowledge of common malware/botnet exploits and how they are targeted to exploit embedded systems
• Operating system configuration of Windows, Linux, Android, and iOS
• Computer boot process including boot loaders
• Conducting security evaluation and threat assessments of embedded systems, mobile applications, web applications
• An understanding of common cryptographic algorithms and protocols including their weaknesses and attacks against them
• Familiarity with compilers, debuggers, disassemblers, and other low-level development and analysis tools
• Having hands on real-time embedded C/C++ development experience that includes recent lab activities integrating with and debugging on target hardware.