Job Title: Security Vulnerability and Penetration Testing (VAPT) Engineer
Job Responsibilities:
The Security Vulnerability and Penetration Testing (VAPT) Engineer is tasked with overseeing and acting as a technical resource for all assessment activities related to the security posture of existing and proposed systems, platforms, and processes at the law firm. The primary goal is to protect and continually enhance the confidentiality, integrity, and availability of information systems in alignment with the firm's business objectives, regulatory requirements, and strategic goals. Key responsibilities include:
- Performing security penetration testing on the firm's systems, platforms, and applications.
- Serving as a Subject Matter Expert (SME) for the VAPT function.
- Acting as the system owner for common VAPT toolsets, platforms, and processes.
- Providing technical assessment reports that are easily understandable by the target audience, along with practical and reasonable recommendations based on sound risk management principles.
Education and Experience Information:
Candidates for the Security Vulnerability and Penetration Testing (VAPT) Engineer position should possess the following qualifications:
- A bachelor's degree in Computer Science or substantially equivalent experience.
- CISSP (Certified Information Systems Security Professional) certification is required.
- GIAC GPEN (GIAC Penetration Tester) or GWAPT (GIAC Web Application Penetration Tester) certifications are preferred.
- Offensive Security OSCP (Offensive Security Certified Professional) certification is required.
- Commanding knowledge of VAPT concepts and best practices, including WhiteHat/ethical hacking requirements.
- Expert understanding of the differences between a vulnerability assessment and a penetration test regarding assessment scope, objectives, and deliverables.
- Extensive experience with common automated VAPT tools such as Nessus, Appscan, Burp Suite, Nipper, and Trustwave.
- Expertise with common attack tools and frameworks such as Wireshark, Kali, Metasploit, etc.
- Expertise in mobile platform security technology, including vulnerability identification and exploitation tools, as well as mobile platform security best practices and frameworks.
- Understanding of VAPT in the context of risk management and organizational priorities.
- Passion for the practice and pursuit of VAPT excellence.
- Ability to validate the presence of identified vulnerabilities accurately.
- Mastery of common application platforms and technologies to effectively understand and evaluate complex application assessments using manual techniques and simple tools such as proxies and browser plugins.
- Authoritative mastery of OWASP (Open Web Application Security Project), CVE (Common Vulnerabilities and Exposures), general security controls, and other foundational topics, including the latest application and operating system exploits.
- Expert knowledge of common scripting and programming languages is advantageous.
- Ongoing commitment to understanding the threat landscape and common adversary motivations/practices, with the ability to quickly adapt practices to evolving circumstances.
- Ability to maintain critical thinking and composure under pressure.
- Strong written and oral communication skills, with the ability to convey complex concepts to non-technical constituents. Proficiency in oral and written English.
- Capability to assist with the preparation of internal training materials and documentation.
- Ability to remain productive and maintain focus without direct supervision.
Salary Information:
This position is bonus-eligible and includes medical, dental, vision, and 401(k) benefits based on the number of hours worked. If located in an office in one of the states listed (New York, Illinois, California, or Washington DC), the US base compensation for this position is expected to be in the range of $130,000-$150,000. Within this range, individual pay is determined by work location and additional factors, including job-related skills, experience, and relevant education or training. More specific details about the salary range for a preferred location can be shared during the hiring process.
