Job title: Mobile Pen Tester - Android
Location: Foster City, CaliforniaUSA
Duration: 6 months, likely extension or conversion depending on performance.
Must have skills
Must have a Bachelor's degree in Computer Science or equivalent. Must have 2-4 years of penetration testing experience, mainly with mobile. Manager is okay with web but mainly wants mobile. Strong communication skills as they will be communicating to upper management. Reporting and documentation skills.
Nice to have skills
Master's Degree and having Java experience.
Position Summary & Job Description
Mobile Security Program (MSP) team builds security assurance for consumer and cooperate mobile product across Client. As a member of Client's MSP team, the candidate will help:
• Execute successful adaptation of mobile security assurance across Client.
• Identify weaknesses and shortcomings in Client's existing security posture of various products and recommend necessary controls to securely protect Client assets and services from intentional or inadvertent modification.
• Drive successful adoption of Secure Software Development Lifecycle practices across product development teams
• Help build foundational application security capabilities.
• Develop mobile security guidelines, requirements and standards for mobile product development, as well as enterprise mobile deployment and proactively mitigate risks associated with information security.
• Analyze security gaps in mobile technologies and frameworks that lack standard validation methodologies and incorporate remediation practices to reduce risk posture of Client products and assets.
• Develop tools and frameworks required performing advanced and complex mobile security assurance and ethical hacking activities.
• Research on mobile platform releases, capabilities and functionalities to understand and establish mobile security standards.
• Define, implement and scale consistent mobile security practices for all Client technology projects throughout the planning and delivery cycles that assure that investments in IT generate business value, and mitigate the risks associated with information security.
• Integrate architectural risk assessment and threat modeling of large scale enterprise applications and infrastructure into Software Development Lifecycle, to identify and reduce risk associated with information security in a timely manner.
• Ensure end-to-end security of Client products by means of hands-on-testing, threat hypothesis, risk remediation advises and championing secure implementation efforts.
• Improve secure coding practices, application security requirements, automation, training, and metrics.
• Build strong cross-organizational relationships, and effectively influence staff across the IT organization, and broader enterprise.
• Collaborate with product development and solution teams proactively, to manage software security risk aligned with business goals.
• Collaborate with product and solution teams to achieve Global Information Security software security program objectives.
• Define a simplified security metrics approach that enables executive leaders, line leader, and operational staff to quickly take action on application security related risks.
• Collaborate with all internal and third party application development teams to define an enterprise set of "reasonable” security controls that will protect company brand from real or perceived security breaches.
• Build secure products and standards around emerging technologies and fields lacking existing standards and security practices.
• In addition, develop and optimize processes to improve software development efficiency in the consumption of security development practices. Utilizes graduate-level research and analysis skills.
• Bachelor's degree in Computer Science, Electrical Engineering or a related technical discipline; advanced degree preferred.
• MUST have deep understanding of OWASP Top 10 and CWE 25; with proven track record and experience in implementing and integrating remediation strategies
• MUST have an understanding of the basics of a mobile application and platform security concepts; deep understanding of those platforms, and advanced concepts related to SDKs and mobile wallets preferred.
• Understanding of web applications, development frameworks and web protocols would be a plus.
• Excellent penetration testing, application risk assessment and risk categorization skills, including but not limited to, reverse-engineering, network interception and manipulation, offensive and defensive attacks, as well as database and cross-site scripting injection attacks.
• Candidates with experience in the following tools/technologies should apply, but they are not required: Burp Suite, IDA pro, APKTool, Hopper, Client Fortify, CheckMarx (Sast/Dast), Cycript, XPosed, Charles, dex2jar, Kali Linux, and Wireshark.
• Well-versed (experience preferred) with driving and implementing secure development practices in to SDLC (SSDLC); ability to successfully integrate security into a developers world.
• Success in implementing effective Secure SDLC frameworks across a large corporation or ability to demonstrate experience in doing so.
• Candidates should be familiar with the agile development process and have experience integrating secure development practices into the model efficiently.
• MUST be a highly effective communicator and flawless writer.
• Solid problem solving and analytical skills; able to quickly digest any issue/problem encountered and recommend an appropriate solution.
• Self-motivated; able to work independently; able to negotiate and bring consensus to diverse priorities of product development and solution teams
• Demonstrated leadership qualities, flexibility, adaptability to changes in roles and responsibility as required.
• 2 to 5 years in technology, information security, and/or application development.
• Excellent operational skills; quality and results oriented.
• Strategic thinker; visionary; innovative
• Strong client service orientation.
• Bi/multi-lingual a plus.
Apply for this job