Web Application Penetration Tester

Talent Acquisition - Sr. Technology Recruiter at WTW

Location: WTW Taguig, National Capital Region, Philippines

Description

A penetration tester is responsible for assessing the security of web applications and its underlying infrastructure to identify vulnerabilities and weaknesses that could be exploited by attackers. Their role involves conducting thorough assessments and penetration tests to uncover potential security risks and provide recommendations for mitigation. The role will work closely alongside the rest of the Penetration Testing team, Business units and other Cyber team. We are looking for a collaborative team player, with a good technical knowledge in web application and infrastructure penetration testing. The successful candidate will contribute to and work as part of a global multi-disciplined security community with clear vision and direction, and top-down support across the business.

The Role

• Vulnerability Assessment: Conduct comprehensive assessments of web applications and infrastructure to identify security vulnerabilities, such as cross-site scripting (XSS), SQL injection, authentication flaws, insecure configurations, and poor host device and service configurations, and use these to penetrate deeper into the application/server.
• Penetration Testing: Perform controlled attacks on web applications, APIs, and infrastructure to simulate real-world hacking attempts and identify potential entry points for attackers. This involves utilizing various techniques, tools, and methodologies to exploit vulnerabilities and gain access.
• Security Analysis: Analyze the results of penetration tests to assess the severity of identified vulnerabilities, their potential impact on the system and the business, and the likelihood of exploitation.
• Reporting and Documentation: Prepare detailed reports that document the findings, including identified vulnerabilities, attack vectors, and recommendations for remediation.
• Remediation Support: Collaborate with developers and system administrators to assist in the remediation of identified vulnerabilities, including guidance on secure coding practices and validating fixes.
• Stay Up to Date: Keep abreast of the latest web application and infrastructure vulnerabilities, attack techniques, security tools, and industry best practices.
• Ethical Approach: Conduct all testing within a legal and ethical framework, ensuring systems and data are not harmed during the process.
• Continuous Improvement: Engage in professional development activities, such as attending conferences and obtaining relevant certifications, to enhance knowledge and skills in cyber security.

Qualifications

The Requirements

Minimum Criteria

• Education: A bachelor's degree in a related field such as computer science, information security, or cybersecurity is commonly preferred, but not always mandatory. Relevant industry experience can compensate for formal education requirements.
• Technical Knowledge: Strong understanding of web technologies, programming languages (e.g., HTML, CSS, JavaScript, PHP, Python), and web application architecture. Knowledge of networking fundamentals, operating systems, and databases is beneficial.

Skills

• Web Application Security: In-depth knowledge of web application vulnerabilities, common attack techniques, and mitigation strategies. Strong understanding of OWASP Top 10 vulnerabilities is crucial.
• Infrastructure Security: Working knowledge of different on-prem and cloud builds (IaaS, PaaS, SaaS), and knowledge of operating systems and their common flaws.
• Penetration Testing Techniques: Proficiency in various penetration testing methodologies, tools, and frameworks. Experience with manual testing techniques, automated vulnerability scanners, and exploit frameworks is necessary.
• Programming and Scripting: Proficiency in at least one programming language (e.g., Python, Ruby, or JavaScript) to write custom scripts and tools, and understanding SQL queries for database testing.
• Analytical and Problem-Solving Skills: Ability to analyze complex environments, identify vulnerabilities, and recommend countermeasures.

Holds Relevant Industry Certification/s Or Equivalent

• CEH – Certified Ethical Hacker
• OSCP – Offensive Security Certified Professional
• GPEN – GIAC Penetration Tester
• PNPT – Practical Network Penetration Tester
• Burp Suite Certified Practitioner
• eWAPT/eWAPTx – eLearning Web Application Penetration Tester

WTW is an Equal Opportunity Employer

Seniority level

• Entry level

Employment type

• Full-time

Job function

• Information Technology