Penetration Tester

Navy Federal Credit Union - Raleigh, NC

posted 4 months ago

Full-time - Mid Level
Raleigh, NC
Credit Intermediation and Related Activities

About the position

The position involves performing penetration testing against systems across Navy Federal Credit Union (NFCU) to identify weaknesses and provide guidance on remediation and prevention. The role encompasses conducting assessments on applications, networks, wireless, and mobile systems, as well as leading red team campaigns. The individual will assess a wide variety of critical systems and applications to discover exploitable risks to the credit union and improve the organization's risk posture. The work is performed under limited supervision, requiring a high level of independence and expertise. The responsibilities include independently managing penetration tests from inception through delivery, which involves scoping assessments, establishing rules of engagement, and designing penetration tests for systems and applications using established assessment frameworks. The candidate will need to account for both common and unique application and system considerations while sourcing and leveraging information such as source code and architecture diagrams to enhance assessment coverage. Coordination and scheduling of testing with engineering teams across the enterprise is essential, along with effectively managing relationships and communicating with these teams before, during, and after testing. As a subject matter expert, the individual will communicate results, preventative measures, and remediation steps to engineering teams, acting as a technical lead for multi-resource engagements. The role requires identifying and prescribing remediation for vulnerabilities in NFCU applications, systems, and networks, leveraging complex tactics including lateral movement, network tunneling/pivoting, credential compromise, and hash cracking. The candidate will lead red team exercises focusing on stealth, long campaigns, social engineering, and realistic threats, enhancing testing by identifying novel attack patterns based on real-world data. The position also involves performing attacks consistent with common threats, such as those outlined in the OWASP top 10, as well as uncommonly observed attacks specific to certain technologies and frameworks. Researching and developing exploits for local and remote targets, crafting proofs of concept, and deploying exploits for both public and novel vulnerabilities are key tasks. The candidate will create and automate custom fuzzing techniques relevant to NFCU technologies and develop custom scripts to check for security requirements specific to individual applications. Communication of complex technical risks to non-technical and executive audiences is crucial, as is employing operational security best practices to minimize the distribution of vulnerability data. Mentoring and supporting more junior staff across the security organization is also part of the role.

Responsibilities

  • Independently manage penetration tests from inception through delivery.
  • Scope assessments and establish rules of engagement.
  • Design penetration tests for systems and applications using established assessment frameworks.
  • Source and leverage information such as source code and architecture diagrams to enhance assessment coverage.
  • Coordinate and schedule testing with engineering teams across the enterprise.
  • Effectively manage relationships and communicate with engineering teams before, during, and after testing.
  • Act as subject matter expert with engineering teams when communicating results, preventative measures, and remediation steps.
  • Act as a technical lead for multi-resource engagements.
  • Identify and prescribe remediation for vulnerabilities in NFCU applications, systems, and networks.
  • Leverage complex tactics including lateral movement, network tunneling/pivoting, credential compromise, and hash cracking.
  • Lead red team exercises with a focus on stealth, long campaigns, social engineering, and realistic threats.
  • Enhance testing by identifying novel attack patterns against NFCU systems and applications based on real-world data.
  • Perform attacks consistent with common threats (e.g., OWASP top 10) as well as uncommonly observed attacks specific to certain technologies and frameworks.
  • Research and develop exploits for local and remote targets.
  • Craft proofs of concept as well as deployable exploits for both public and novel vulnerabilities.
  • Create and automate custom fuzzing leveraging techniques relevant to NFCU technologies.
  • Develop custom scripts (Nuclei, Python, etc.) to check for security requirements specific to individual applications.
  • Communicate complex technical risks concisely to non-technical and executive audiences.
  • Effectively employ OpSec best practices to minimize distribution of vulnerability data.
  • Mentor and support more junior staff across the security organization.

Requirements

  • Bachelor's Degree in Information Technology, Electrical Engineering, Computer Science, or equivalent combination of education, training, or experience.
  • Advanced hands-on experience in cybersecurity and/or application security, with hands-on penetration testing or red teaming as the primary/exclusive role.
  • Advanced knowledge of MITRE ATT&CK and/or CAPEC Frameworks.
  • Experience testing against Active Directory environments.
  • Experience testing against both Linux-based and Windows-based systems.
  • Experience developing custom malware and evading EDR solutions.
  • Experience coding in languages and on frameworks such as Python, JavaScript, Bash, PowerShell, Java, C#, C++, Springboot, React, NodeJS.
  • Advanced networking knowledge spanning IPv4/6, DNS, TCP/UDP, TLS/SSL, SSH, HTTP, SOCKS.
  • Advanced knowledge of modern cryptographic hashing & encryption methods and best practices.
  • Advanced organizational, planning, and time management skills.
  • Advanced communication, presentation, and analytical skills.

Nice-to-haves

  • Advanced degree in Information Technology, Electrical Engineering, Computer Science, or equivalent combination of education, training, or experience.
  • At least one of the following certifications: OSCP, OSCE, OSEE, OSWE, OSWP, CREST penetration testing certifications ("Registered" and "Certified" levels such as CRT or CCSAS).
  • Experience writing enterprise applications or performing techniques such as source code review, pair programming, etc.
  • Experience leading testing engagements end to end.
  • Advanced knowledge of Navy Federal's functions, philosophy, operations, and organizational objectives.

Benefits

  • Competitive salary based on experience and market position.
  • Opportunities for professional development and career growth.
  • Flexible work hours and remote work options.
  • Comprehensive health insurance coverage.
  • 401(k) retirement savings plan with matching contributions.
  • Paid time off and holidays.
  • Support for ongoing education and skill development.

Tools

Career Hubs

Guides

Company

© 2024 Teal Labs, Inc
Privacy PolicyTerms of Service