« Home | Fast! » | Google Chrome Browser Exploit » | Google Browser Released » | MySpace Cofounder Tom Anderson Was A Real Life “Wa... » | DNS flaw redirects Internet users to wrong websites » | Adrian Pastor meeting Captain Crunch » | RP can’t do without policy on data privacy, security » | Red Hat servers breached » | Help, there's a resident rootkit in the memory » | Hijack the Internet »

Pen Tester Wanted


Found on the LinuxJobs-PH mailing list. Almost every security enthusiast has this as a kind of dream job =) Unfortunately I don't think I qualify :(

Good day,

Hi guys, we still have one more opening for the position indicated below:

Position/Title: Associate, Technology and Security Risk Services

Description

The SGV Security and Technology Solutions (STS) Team is a key
component of SGV & Co. / Ernst & Young's Technology and Security Risk
Services Practice. Ernst & Young's security professionals deliver
enterprise security and risk-based services enabling our clients to
take advantage of the evolving electronic economy in a secure manner.
These professionals have extensive experience with information
security protection, system security planning, information security
assessments and implementation, security program development, business
continuity planning, and strategic technology planning. These services
help companies validate their infrastructure; design and implement
business processes and technology solutions; address regulations; and
educate and train management and employees. We currently have a career
opportunity for a staff professional to participate in multiple client
engagement teams and other related activities in our Security and
Technology Solutions (STS) Team.

The STS Team is dedicated to providing attack and penetration security
testing and vulnerability assessment to discover and mitigate clients'
security risks before they can be exploited by unauthorized parties.
The STS Team is equipped and configured to provide maximum
collaboration and teaming opportunities.

Responsibilities

•Perform vulnerability assessment and penetration testing in internet,
intranet, dial-up and wireless environments
I think I can do these things =)

•Perform discovery and scanning for open ports and services
I can use nmap, superscan, etc and can most possibly learn how to use unicornscan, ikescan and a lot of other scanners =)

•Apply appropriate exploits to gain access and expand access as appropriate
Honestly I like metasploit for the exploits and meterpreter as the payload to pivot inside a network. And I know how to use net commands and how to psexec on windows networks =) Oh and a milw0rm compilation .tgz file is handy =)

•Participate in activities involving application penetration testing
and application source code review
I'm more partial to black box testing. Anything more complex than greppable insecure methods in source code usually means a lot of time required to exploit it =)

•Interact with the client as required throughout the engagement
Sure. If needed =)

•Prepare reports documenting discoveries during the engagement
No problem =)

•Debrief the client at the conclusion of each engagement
I can probaly do this too =)

•Participate in research and provide recommendations for continuous improvement
Ditto =)

•Participate in knowledge sharing
I blog dude =)

Qualifications

To qualify, candidates must have:

•A bachelor's or master's degree in computer science, information
technology, computer engineering, or a related major
Nope. I'm not an IT grad

•1 to 2 years of experience in one or more of the following:
UNIX-based Operating Systems (Linux, IBM AIX, HP-UX, Solaris, Mac OS
X), Windows, networking and wireless security; attack and penetration
testing; security testing of web-based applications; and application
security source code assessments. Fresh graduates are welcome to apply
Used to be a part-time *ehrm*.... But I graduated from that =)

•Experience with programming languages/platforms such as Java, J2EE,
x86 Assembly Language, C, C++, ASP, PERL, PHP, Ruby and Microsoft .NET
If I can program passably well in any of those languages I'd seek work as a programmer and not bother with security at all =)

•Experience in commercial and open source security tools including
BackTrack, Cain, Metasploit, CANVAS, WebInspect, Retina, ISS, and
Nessus/OpenVAS is a plus
Have used BackTrack, cain, Metasploit and Nessus. I have an old copy of CANVAS but it's way too old so I haven't played with it much. Oh, and why isn't Core Impact on the list? Too expensive =)

•Manual attack and penetration testing experience above and beyond
running automated tools is a plus
IMHO, this shouldn't be a "plus", it should be required =)

•Experience developing custom scripts or programs (used for port
scanning, vulnerability identification and exploitation) is a plus
I can use/learn more bash scripting =)

•Application development experience is a plus
Zero here =)

•Strong technical skills related to a broad range of operating systems
and databases
Define strong =)

•An understanding of web-based application vulnerabilities
I sorta have minor experience on finding vulns with web apps =)

•An understanding of global standards like COBIT, GLBA, HIPAA, FFIEC,
PCI DSS, and ISO/IEC 27001/27002/20000
I honestly have been trying to find time to read up on PCI DSS but I've been kinda busy =)

•Excellent teaming and communication skills
Yada yada blah blah blah =)

•Demonstrated integrity in a professional environment
Sure =)

•Willingness and ability to travel (including potential overseas
travel for international clients)
Yes! =)

The successful candidate must hold or be willing to pursue related
professional certifications such as CISSP, CISM, CEH, ECSA, LPT, GSEC
and/or CISA.
Hey, If you're going to pay for it... =) The exam fee alone is expensive not to mention the courses to prepare for it

If you are interested or have any questions, please email
your resume or queries to christian.s.masancay@???.

Hmm... =)