Penetration Tester / Certified Ethical Hacker - RED team member
Location: Den Haag
KPN has a Information Security Office which consists of three teams: a team that focuses on strategy and policy to harden KPN against hacking attempts (Strategy and Policy), a team that focuses on detecting and verifying the risks of KPN systems (Ethical Hacking) and a team that focuses on responding to cybercrime (Computer Emergency Response Team). This job posting is for a position in the Ethical Hacking team (also known as REDteam).
What are you going to do?
You will report to the Ethical Hacking Team lead in KPN’s Information Security Office and will perform security vulnerability assessments of KPNs core networks, products and services. You will apply your expertise to isolate, research, and exploit vulnerabilities on hardened devices. You will also be responsible for documenting your findings and creating recommendations for improved network, device, and application security. You will be performing penetration and vulnerability tests in accordance with industry-accepted methods and protocols.
Projects may include:
• Performing network-based security assessments;
• Performing security assessments on Internet-facing applications and sites;
• Performing security assessments on software applications;
• Performing penetration tests across public networks;
• Performing penetration tests across internal networks;
• Performing assessments of radio networks (e.g Wifi GSM LTE);
• Reverse Engineering Embedded Devices;
• Performing security consultation projects to assist internal KPN Segments to implement security controls;
• Consulting with KPN Segments on approach and proper implementation of technical security controls;
• Developing testing scripts and procedures;
• Other security-related projects that may be assigned according to skills.
You have at least some of the following experiences:
• Experience performing different types of security testing such as network penetration testing, wireless testing, code reviews, wireless and/or firewall assessments.
• Experience in developing for embedded systems. Android application development preferred. Android operating system/frameworks development experience a plus. Bootloader and kernel experience a plus.
• Software reverse engineering. IDAPro experience preferred. ARM experience a plus.
• Exploit development. C, Java, or shellcode preferred.
• Computer forensics skills for cases involving recovering deleted files, discovering hidden files and partitions, encrypted files and partitions, and sensitive information leaks. Experience with flash memory data recovery issues, such as write leveling, a plus.
• Hardware skills. Includes use of lab equipment, such as multimeters, oscilloscopes, spectrum analyzers, and logic analyzers. Circuit modification and rework. Understanding of hardware design. Hardware-level security exploits, such as signal injection and side-channel analysis a plus. ARM assembly code development a plus.
• Experience with RF communication protocols a plus.
• Excellent knowledge of multiple Operating Systems: Windows, Linux, Solaris, OS X, etc.
• In depth knowledge of HTTP proxying tools such as Burp, WebScarab, Charles, Fiddler, etc.
• Familiarity with Web technologies such as XML, SOAP, AJAX.
• Familiarity with web Server and Application Software: IIS, Apache, WebLogic, WebSphere, Tomcat, etc.
• Experience with any of the following commercial application scanning tools such as IBM's AppScan, HPs WebInspect, NTOSpider, Cenzic's Hailstorm, Application Security Inc.s AppDetective, Arachni, OWASP Zed Attack Proxy, w3af, Vega, Acunetix, Skipfish, Websecurify, Netsparker, Websurgery.
• Experience with vulnerability scanning tools such as Tenables Nessus, Mcaffee.
• Experience with open source software such as nmap, netcat, nikto, tcpdump, openssh, openssl, openvpn.
• Practical programming knowledge (C/C++, Perl, Python, Ruby, etc.) for potential tool and exploit development.
• Technical knowledge in network security products, cryptographic suites and network / applications firewalls are a plus.
• Ability to assess physical and other process related security using social engineering/ lock picking/ alternative resources and techniques/etc.
• Working as a team member on a large engagement to perform technical software and network environment testing.
What are the requirements?
The successful candidate MUST have meet the following requirements:
• Strong ethics and understanding of ethics in business and information security;
• English and/or Dutch language written and communication skills;
• Investigative skills;
• Understanding and familiarity with common penetration testing methods and standards;
• Ability to organize project or job into tasks;
• Minimum of 2 years work experience performing security penetration tests or internal technical security audits;
• Be able to work independently, with minimal supervision;
• Be able to complete tasks and deliver written reports suitable for viewing by Internal Stakeholders on time;
• You are a strong team player with good communicational skills.
What do we offer?
• Solid salary and benefit package, including an excellent pension;
• Excellent professional and personal development opportunities;
• Working in a new organization in which you can fully contribute to the further development;
• Working in a professional and ambitious team.
You can apply through the link.
Click here to apply!
This vacancy has a closing date of the 10th of March
Agency calls not appreciated.