Lead Penetration Tester (Immediate joiner preferred)

Job Description

The applicant shall work with our development team to support and guide in the creation of an Attack Surface Management tool and associated scripts. The applicant is expected to have extensive & intensive experience in penetration testing activities to ensure protection of the products from its potential threats. The applicant shall adhere to the recognised Standards & frameworks to ensure Invias product security & systems are resilient to existing and emerging cyber security threats. The applicant shall define and execute penetration testing activities for both Invia's in-house products as well as external client products under the scope of Invias security purview. Key Responsibilities Contribute to the development of a platform that will collect risk data, provide analysis and reporting, and enable remediation. This is a significant initiative, providing you with the opportunity to make a huge impact. Acting as our key contact point for all penetration testing needs across Invia while providing a frictionless experience on all engagements. Owning and managing the annual penetration testing schedule for all applicable systems in scope and ensuring these are conducted as planned and all systems meet their annual testing requirements. Supporting and mentoring other team members within the Cyber Security capability and broader Technology teams on penetration testing and vulnerability management. Contributing to the development of technical hardening guidelines and engineering and assurance documentation for education and awareness for providing subject matter expertise on all forms of penetration testing and the applicable use cases for each. Clearly communicating security issues and risks from testing findings to both technical and non-technical stakeholders. Engaging with business stakeholders and maintaining awareness of new systems and platforms and their ramifications on the organizations cyber security and risk posture. Maintaining solid relationships with Developers, project managers, & platform owners so that they understand the critical nature of penetration testing. Conduct peer reviews for client reports drafted by other security engineers within the team. Perform and complete assigned client delivery work daily to the agreed schedule. Perform security reviews of application designs, source code and deployments as required, covering all types of applications (web application, web services, mobile applications, thick client applications, SaaS) Run attack and breach simulations. Adhere to cyber security strategies for Invias products that enables stronger resilience to security threats. Deploy appropriate security measures, including but not limited to, relevant technologies, architectures, policies, and compliance frameworks. Perform regular penetration testing of Web applications and related infrastructure (API endpoints, databases, payment systems etc.) for both internal Invia Applications as well as clients interface applications. Perform regular penetration testing of mobile applications (on Android and iOS platforms) within the scope of Invia’s product range. Create and maintain documents for clients / auditors that clearly convey the risks and associated recommended preventive actions required to mitigate the potential risks. Maintain central repository of Audit NCs and maintain their respective resolution tracker. Actively define and update testing capabilities and methodologies deployed to ensure end to end security/ vulnerability coverage. Provide hands on support to Invia Product Leads to remediate issues encountered. Collaborate with cross functional teams to evaluate, develop, implement, communicate, operate, monitor, and maintain security policies & procedures to promote a safe and secure platform. Keep abreast with current and emerging vulnerabilities, risks, and threats, in addition to understanding their appropriate counter measures. Empower Team Invia to achieve high standards of cyber security culture. Key challenges Working with a global organisation across multiple time zones Keeping abreast of current with emerging vulnerabilities, risks, and threats, in addition to understanding their appropriate countermeasures. Key knowledge and experience Certified Offensive Security Certified Professional (OSCP) Strong customer centric approach as well as excellent interpersonal skills & problem-solving skills. Extensive experience in pen testing Web applications, mobile applications (Android and IOS), API, Wireless, Network, Hardware & IoT. Extensive experience with various tools and frameworks like Kali Linux, Metasploit, Burp Suite, Nmap, Nessus, etc. Experience with Social Engineering Engagements including phishing, phone, and physical security controls. Extensive experience with Adversary Simulation (Red Teaming). Experience with Windows server infrastructure and IIS web servers Experience with Ubuntu and Apache web servers Competent adherence to the following standards and frameworks Open Web Application Security Project (OWASP) OWASP Mobile Security OWASP Application Security Verification Standard (ASVS) NIST Cybersecurity Framework The Penetration Testing Execution Standard (PTES) Open-Source Security Testing Methodology Manual (OSSTMM) Mobile Security Testing Guide (MSTG)