H&R Block is seeking an experienced Penetration Tester to conduct full-scope vulnerability assessment and penetration testing. The Penetration Tester must be able to plan, coordinate, and perform red team and penetration testing technical assessments. Maintain communication between system owners and the assessment team, including before, during, and after test events. Develop test plans and perform management and administrative functions for the assessment team, including data gathering, exploit approval, and report generation after test activities. Maintain assessment team processes and procedures and manage the maintenance of the standardized testing platform.
Responsibilities will include:
- Plan, communicate, coordinate and perform penetration tests and security assessments at application, system and enterprise level.
- Develop all Rules of Engagement, scoping documents and reports
- Perform manual penetration tests and validation of vulnerability scan results.
- Develops automation/scripts for replicating vulnerability validation and penetration tests.
- Develop SOPs and architect all penetration testing and security assessment methodologies.
- Devises plans and scenarios for various types of penetration tests.
- Documents exploits and results in remediation and final report.
- Perform information technology security research to remain current on emerging technology trends and develop exploits for disclosed and undisclosed vulnerabilities
- Contributes to developing and implementing tools for penetration testing and early warning of weaknesses or possible incidents building on methodologies as promulgated by NIST, ISO, etc. to ensure useful, measurable, and repeatable methods applied to quantifying risk.
- Selects, installs, and configures security testing platforms and tools or develop tools and procedures for vulnerability assessments and penetration tests.
- Contributes to application of FISMA compliance mechanisms, including NIST SP 800 series, with the addition of sound methodologies in lieu of weakly-defined and subjective scores.
- Performs vulnerability assessments using automated tools (Metasploit, Nmap, Nessus, Burp Suite, etc.)
- Performs off-hours work as necessary.
- Experience in penetration testing large and complex enterprise networks
- Experience with utilizing penetration testing methodologies
- Experience with web and mobile applications, databases, operating systems
- Experience with regulatory compliance, policy development, and policy enforcement
- Experience with FISMA compliance and the NIST SP 800 series
- Experience with DISA STIGs or similar secure configuration guidelines.
- Experience in the roles identified above
- At least 3+ years of penetration test experience
- Excellent communication and interpersonal skills
- Hands-on OS configuration/administration experience
- Programming experience with focus on penetration testing or process automation
- Experience with cyber security development projects and programs
- Experience with process development and deployment
- Experience with the following technologies:
- Kali Linux
- Burp Suite
- Experience with three or more of the following:
- Security COTS integration
- Security Incident Event Management
- Operating System Hardening
- Vulnerability Assessment testing
- Identification and Authentication schemes
- Public Key Infrastructure and Identity Management
- Cross Domain Solutions
- Reverse Engineering
- Security engineering
- Excellent writing skills
- Bachelor’s Degree in related field. Equivalent experience in military, civil, or corporate continuity planning will be considered.
- DODI 8570.1-M Compliance at IAT Level II; CISSP, CPT, CEH preferred.