Security Evaluator - Penetration Tester

Company Description

SGS Brightsight is part of SGS – the world's leading testing, inspection and certification company. At SGS Brightsight, we support companies in getting their products ready and in compliance with the latest security regulations and requirements. With over 35 years of experience in evaluating IT products in different industries, we evaluate these products against requirements set by governmental and private schemes. SGS Brightsight has been a Common Criteria and EMVCo hardware lab since 2002.

Job Description

As a Penetration Tester, you will be responsible for assessing the security posture of software applications, systems and networks by identifying vulnerabilities and conducting ethical hacking activities. Your role will involve performing test activities on IT products under certain evaluation scheme requirement, such as network device, encryption software or mobile device based on Common Criteria, Cybersecurity Labelling Scheme etc. This will include developer document review, product vulnerability analysis, design and realize test case, analyse and validate test results and reporting to the customer.

We are looking for a person with a fascination for cybersecurity. You will join a multidisciplinary team to execute security evaluations on state-of-the-art products such as, trusted execution environment, hypervisor, real time operating systems, artificial intelligence, secure elements, network devices, key managers, hardware security modules etc.

Duties and Responsibilities

• Review developer document: Review design, guidance or testing document from IT product developer, searching for any potential clue that may cause security issue. Collaborate with development teams to understand software architecture, design and implementation details when needed.
• Verify security function: Perform security audits to evaluate the effectiveness of existing security controls working as per design.
• Physical/logical security assessments: Conduct physical/logical assessments of IT products to identify any attack interface that may use for further exploiting.
• Search for vulnerability: Searching online or in any public domain, including utilizing a variety of penetration testing techniques, tools and frameworks to identify any potential vulnerabilities.
• Design test case: Based on the technical specification and information collected, design product security function test case and penetration test case, discuss with evaluator to ensure the test case cover all the scheme requirement.
• Conduct testing: Familiar with Fuzz test, source code review and reverse engineering, be able to conduct manual and automated testing to identify security flaws in IT products.
• Analyse testing result: Analyse and interpret the test result, communicate with developer if any issue found. Provide suggest and advise to developer for corrective action.
• Write report: Provide detailed reports and actionable recommendations, including but not limit to testing purpose, tool used, vulnerability analyse, findings, communication with developer and conclusion.
• Keep update: Stay updated on the latest security threats, vulnerabilities and countermeasures, and continuously enhance knowledge and skills in the field of penetration testing.
• Keep improve: Participate in the development and improvement of analysis practices, guidelines and security testing methodologies.

Qualifications

• Bachelor’s degree in a technical field of study such as Computer Science, Information Technology, Telecommunications, Electronics, Physics, Mathematics or equivalent.
• Minimum 3 years of relevant experience.
• Good understanding of IT security research and development.
• Good problem-solving skills and the ability to think creatively and strategically during penetration testing activities.
• Familiar with at least one programming language.
• Knowledge/experience in security bug finding and exploitation.
• Experience using penetration testing tools and frameworks such as Burp Suite, Metasploit, or Nessus
• Collaborative and team player, self-motivated, creative and customer oriented.
• Willingness and ability to travel if and when required.
• Proven experience in Common Criteria projects preferably.
• Relevant certifications, such as Certified Information Systems Security Professional (CISSP), OffSec Certified Professional (OSCP) or Certified Ethical Hacker (CEH), are a plus.

Additional Information

SGS Brightsight provides a very good training program, from the basics to expert level We offer a supportive work environment that fosters professional growth and development We offer a competitive salary package based on the candidate.

At SGS Brightsight you will:

• Be part of a multicultural team with highly motivated colleagues from all over the world
• Work for the recognized global leader in security evaluations
• Work with all major developers on their latest innovations
• Enjoy an informal and intellectually challenging work environment