Search Our Career Opportunities

Lead Security Testing Engineer

Date: Aug 2, 2019

Location: Milwaukee, WI, 53202

At Northwestern Mutual, we are strong, innovative and growing. We invest in our people. We care and make a positive difference. 

PRINCIPAL ACCCOUNTABILITIES:  

The principal accountability of a Security Testing Engineer is to secure the data and information systems of Northwestern Mutual and its policy owners. While Security Testing Engineers think like an attacker, they will always act with integrity and never abuse their privileges. All work is in service of two primary internal customers: (1) the Business Owners accountable for the people, processes, and technologies in the organization, and (2) the Blue team accountable for logging, monitoring, and incident response. 

The Security Testing Engineer serves the Business Owners by identifying, assessing, and responsibly reporting all vulnerabilities discovered throughout the organization. The primary goal being a focus on risk mitigation – allowing for business continuity, but without negligent risk. 

The Security Testing Engineer serves the Blue Team by simulating threats against which they can engineer detection rules and validate monitoring, alerting, and response capabilities. This partnership happens in an open, knowledge-sharing environment to facilitate timely detection of existing gaps and new attack techniques. 

Essential Job Duties: 

  1. The Lead Security Testing Engineer has one of two primary accountabilities; (a) Product Owner/Team Lead who is focused on team leadership/management, or (b) Technical Lead who is focused on setting technical direction and leading research for the team and the department: 

  1. Product/Team Lead: Accountable for independently, and/or in coordination with team management, setting the vision and direction for the team’s work – and influencing work at the department level – as well as assisting in the management of team member’s work allocation and time. 

  1. Technical Lead: Accountable for anticipating security needs of the team and department and applying a depth and breadth of advanced security knowledge to proactively address these complex problems in a variety of ways including building custom solutions and designing and leading security testing engagements.  

  1. Penetration Testing: Accountable for working independently with cross-functional teams to serve as the subject matter expert in the security testing space and independently performing web, mobile, and network penetration tests in an enterprise environment. 

  1. Red Team: Accountable for the design and implementation of red team exercises including leading the exercise through completion, report writing, and working independently with department and enterprise leadership and the law department to ensure all activities are vetted and approved. 

  1. Leadership: The Lead Security Engineer is a leader both within the Security Testing team and in the Department with the expectation to guide and mentor team members. This includes overseeing the testing performed by junior testers, mentoring their technical educational activities, freely sharing knowledge and testing techniques. 

  1. Infrastructure & Automation: Accountable for designing, building, and maintaining security tools and infrastructure that support the security testing team. Focus on designing and implementing automation to aid the team in creating efficiencies for both security testing and threat simulation. 

  1. Security Research: Accountable for regularly monitoring the security community for, and researching, the latest assessment and exploit methodologies. This work is concluded by sharing the information in the form of newly written tools and/or attack techniques via informal internal training sessions to the team and via formal presentations to the department and company. 

  1. Project Leadership: Accountable for initiating and leading projects to recommend and enact changes to current team processes, to respond to changing customer needs, and to address complex enterprise needs. 

  1. Reporting & Communication: Accountable for effectively and professionally communicating information, as well as preparing and delivering the highest quality security reports, both of which comprehensively and clearly explain risk, demonstrate findings, and offer tactical and strategic recommendations to both technical and non-technical internal clients including department and enterprise leadership, company executives, and law. 

  1. New Technology: Accountable for high-level assessment, recommendation, and onboarding of new technology for the team and the organization. This includes researching and assessing potential vendors and technology, and coordination with Enterprise Vendor Management and Law. 

  1. Ad Hoc Incidents: Accountable for working with security architects, the security operations center, incident responders, and technology infrastructure, and development teams as necessary. 

  1. Metrics: Accountable for leading efforts to design and implement the capability to track, monitor, and report testing results to deliver meaningful, risk-based security metrics to the enterprise. 

  1. Training: Attend training to stay current with technology and security trends. 

  1. Perform other duties as assigned. 

REQUIREMENTS 

Minimum: 

  • Significant expertise with both Windows and Linux operating systems internals. 

  • Thorough command of web application security principles in the areas of coding, infrastructure, etc. 

  • Thorough command of each of the following security assessment suites: Burp Suite, Metasploit, Wireshark, and tcpdump in addition to some experience with one or more adversarial simulation platform such as Cobalt Strike, Empire, etc. 

  • Thorough command of applicable frameworks including NIST, OWASP, and MITRE ATT&CK. 

  • Thorough command of the OSI Model, web and network protocols such as TCP, UDP and HTTP/S. 

  • Highly proficient in one or more scripting/programming languages such as Python, JavaScript, Java, Ruby, Go, PowerShell, Bash, C#, C/C++, etc. 

  • Direct experience developing in, or thorough understanding of, the Agile/DevOps operating models. 

  • Experience testing applications hosted in the Amazon Web Services (AWS) and/or Microsoft Azure platforms as well as the associated security implications of the platforms themselves. 

  • One or more advanced certifications in penetration testing (e.g. GWAPT, GPEN, GMOB, OSCP). 

  • Thorough command of APIs and associated protocols, such as JSON, REST, or SOAP. 

  • Proven track record analyzing attack techniques to create custom, or repurpose existing, tooling to perform the attacks. 

  • Thorough understanding of cryptography controls and underlying concepts to secure data. 

  • Thorough command of defense-in-depth design and operational concerns. 

  • Strong ability to independently identify and resolve critical and complex issues through effective problem-solving skills. 

  • Track record of integrity, taking pride in one’s work, seeking to excel, being curious, and adaptable. 

  • Ability to maintain and strengthen relationships; ability to effectively influence and negotiate with internal and external partners. 

  • Proven interpersonal savvy with demonstrated tact and diplomacy. 

  • Strong written and verbal communication skills with the ability to interpret and fully explain the impact of vulnerabilities as well as any recommended remediation to multiple knowledge levels. 

Desirable: 

  • Experience teaching security testing (web, mobile, or infrastructure/network). 

  • Experience writing custom modules for one or more of the following security assessment suites: Cobalt Strike, Empire, Metasploit, etc. 

  • Formal software development experience with one or more programming languages such as Python, JavaScript, Java, Ruby, Go, PowerShell, Bash, C#, C/C++, etc. 

  • Experience automating Amazon Web Services (AWS) and/or Microsoft Azure platform infrastructure, preferably within an Agile/DevOps operating model. 

  • Public bug bounty profile (BugCrowd or HackerOne) with a record of bug submissions, or similar public record of coordinated bug disclosures. 

  • Proven people leadership skills including the ability to manage small teams and small projects. 

  • Ability to be a leader in the security industry demonstrated by participation organizing and/or contributing to conferences by giving talks. 

Experience Requirements: 

  • Bachelor’s degree with an emphasis in Computer Science, Computer Engineering, Software Engineering, MIS or related field Or related experience. 

  • Highly technical and analytical hands-on experience in prior professional roles. 

  • 5+ years of experience with web/mobile application and/or network penetration testing or proven capabilities in other required skills including independent security research, CTF events, bug bounty programs, etc. 

 

Grow your career with a best-in-class company that puts our client’s interests at the center of all we do. Get started now! 

We are an equal opportunity/affirmative action employer and all qualified applicants will receive consideration for employment without regard to race, color, religion, gender identity or expression, sexual orientation, national origin, disability, age or status as a protected veteran, or any other characteristic protected by law.

 

Req ID: 25834
Position Type: Regular Full Time
Education Experience: Bachelor's Required
Employment Experience: 3-5 years
Licenses/Certifications:
FLSA Status: Exempt
Posting Date: 08/05/2019