Senior Penetration Tester
Siemens Corporate Technology, the research and development power house of Siemens, is setting up a new Cyber Security Research & Development Center. Given the highly dynamic and complex technological landscape shaped by endeavors such as Industry 4.0 (“the 4th Industrial Revolution”), Industrial Internet of Things, and Critical Infrastructures, Siemens products must be secure and resilient from the start according to organizational strategy - this plays a crucial role for the success of both Siemens and its customers.
Therefore, cyber security has evolved into one of the core technologies at Siemens which helps shape the new age of smart manufacturing, dynamic supply chains, as well as tailored products and services.
Siemens Corporate Technology is focused on state-of-the-art, and beyond, technological challenges which help Siemens provide better, more efficient and secure products to its customers. Siemens Corporate Technology provides security building blocks and blueprint architectures for all Siemens business units in order to facilitate faster and better product development. We test and assess products & solutions, analyze and review code, develop security measures, and optimize their implementation. And finally, we analyze threat landscapes, manage vulnerabilities, and provide solutions for incident response.
We are looking for experienced security professionals to drive operational excellence, continuous development and improvement of Siemens’s security solutions.
What are my responsibilities?
• Assess enterprise applications with tool-based and manual penetration testing methods (Web Technologies, Rich Clients, SAP, Networks, protocols)
• Investigate compliance of OSs, databases, etc. to existing security measure plans (Windows, Linux, Apache, MYSQL, …)
• Find new vulnerabilities in business applications and prove their relevance with exploit scripts
• Evaluate vulnerabilities, including CVSS rating
• Write client reports that detail: approaches for exploiting vulnerabilities, risk evaluation, and mitigation suggestions
• Explain vulnerabilities and their impact to technical experts, as well as management personnel
• Perform root-cause analysis and lessons learnt with developers and architects to improve security sustainably (not simply hotfixing identified vulnerabilities)
What do I need to qualify for this job?
• Master’s degree in Computer Science/Information Technology; specialization in IT Security a plus
• Minimum 3 to 5 years of experience in hands-on penetration testing or red team engagement (360+ penetration testing days in the last 3 years), especially for web applications
• Experience in current attack methods, manual penetration testing methods, and hacking tools–Nmap, Metasploit, Kali Linux, Burp Suite Pro–as a starting point for intensive manual security tests and self-developed testing tools
• Review and ensure the secure configuration of OSs (Windows, Linux), network devices (firewalls, routers), and mobile platforms (iOS, Android)
• Experience in analyzing rich clients (Java, .NET, binary) and their techniques, such as debugging, API hooking, fuzzing, and exploit generation is a plus
• Proficiency in programming languages such as C/C++, Java, .NET, Python, and manual source code spot checks to find new vulnerabilities is a plus
• Experience in SAP ABAP/Java Stack and HANA administration is a plus
• Ability to understand, find, verify, and explain security vulnerabilities
• Ability to research and characterize security vulnerabilities, define appropriate countermeasures, and write comprehensible client reports
• Fluent in spoken and written English, including security terminology; proficiency in German a plus
• Ability to present and explain complex technical topics to both management personnel and technical experts
• Ability to work in a self-guided and result-oriented fashion, with a clear desire to become acknowledged technical expert in your own area of expertise
Job ID: 79976
Organisation: Corporate Technology
Experience Level: Experienced Professional
Job Type: Full-time