Publicado en: Otros en Washinton DC | Última actualización: |
The ideal candidate has experience performing internal penetration testing, vulnerability assessments and manual exploitation of servers, web applications/services and databases to identify vulnerabilities, misconfigurations, and compliance issues. In addition, the candidate will have extensive experience in performing FISMA technical controls assessments, writing final reports, Pen Testing Rules of Engagements (RoE), Test Plans and Standard Operating Procedures (SOPs).
Seeking experienced Security Risk Management Framework (RMF) Technical Controls Assessor and pen tester to support a Federal government client. The responsibilities for the Security RMF Technical Controls Assessor include:
Conduct custom penetration testing scoped to the Federal Information Security Modernization Act (FISMA) systems’ unique environment and role based on the controls, schedule, and resources concurrent with the Information System
Write final reports, defend all findings to include the risk or vulnerability, mitigation strategies, and references
Conduct internal penetration testing and vulnerability assessment of servers, web applications, web services, and databases
Manually exploit and compromise operating systems, web applications, and databases
Examine results of web/OS scanners, scans and static source code analysis
As needed, provide Penetration Testing, Vulnerability Scanning, and App Scanning using tools such as: Burp, Splunk, Nessus, SIH (Tripwire), AppDetective, WebInspect, Metasploit
Develop Penetration Testing Rules of Behavior (RoB) and deliver to team and clients
Understand how to create unique exploit code, bypass AV, and mimic adversarial threats
Help customer perform analysis and mitigation of security vulnerabilities
Research and maintain proficiency in tools, techniques, countermeasures, and trends in computer network vulnerabilities, data hiding, network security, and encryption
Work with the Assessor Lead to conduct the Authorization & Assessment (A&A) for the annual FISMA systems assessment
Establish the schedule and resources for the A&A of the annual FISMA systems assessments
Conduct verbal discussion/meeting to address progress of the A&A effort
· Prepare and update various security documentation such as Systems Security Plans (SSPs), Plan of Action and Milestones (POA&Ms), Risk Assessments, Private Impact Assessments (PIAs), and more
Verify that application software/network/system security postures are implemented as stated, document deviations, and recommend required actions to correct those deviations.
Assist in preparing Security Assessment Plans (SAP) to document test and assessment procedures
Collect artifacts as proof that security controls are performing effectively
Conduct custom interviews based on initial analysis of the system’s security plan to assess compliance with security controls
Conduct system specific review and assessment of applicable controls at each site to be assessed, including and remote assessments (if applicable)
Conduct FISMA systems Continuous Monitoring implementation and assessment
Validate inventories for the annual FISMA system’s assessments
· Gather and analyze sufficient artifacts to verify technical control implementation against agency security policies
Review relevant policies, schedule activities, and provide recommendations for courses of action
· Complete comprehensive test plans for identified security controls following National Institute of Standards and Technology (NIST 800-53), Federal Risk and Authorization Management Program (FedRAMP) guidance, and/or agency-specific guidance
Perform risk analysis (e.g., threat, vulnerability, and probability of occurrence)
Produce complete, accurate, and timely findings reports
Develop documents and document templates
Promote an environment of continuous process improvement, learning and team collaboration
Requirements
Qualifications and Skills
Must be a United States citizen
· Two (2) or more years of experience with penetration testing preferred
Two (2) or more years of experience in technical controls assessments preferred
Two (2) or more years of experience with RMF preferred
Two (2) or more years of experience with A&A preferred
Must have hands-on technology experience (Engineering, Development, or Operations)
· Strong familiarity with at least one of the following: Burp Suite, Open Web Application Security Project (OWASP) top 10, Penetration Executive Standard (PTES), and National Security Agency (NSA) Vulnerability and Penetration Testing Standards
Familiarity with the Cyber Security Assessment and Management (CSAM) System for system assessments, or other equivalent tools
Previous experience with security and scanning tools such as Burp Suite, NMAP, Splunk, Nessus, SIH (Tripwire), AppDetective, WebInspect.
Knowledgeable with information security and assurance principles and associated supporting technologies
Flexibility to adapt to contingencies resulting from changes or modifications to the schedule and assessment requirements.
Excellent customer service and organization skills
Excellent oral and written communication skills
Experience in presenting control requirements and deficiencies to both technical and non-technical audiences
Benefits
One or more of the following certifications preferred:
o Offensive Security Certified Professional (OSCP)
o GIAC Security Leadership (GSLC)
o GIAC Penetration Tester (GPEN)
o GIAC Web Application Penetration Tester (GWAPT)
o Certified Information Systems Security Professional (CISSP)
o Certified Ethical Hacker (CEH)
o Other Penetration Testing certifications
