Senior Penetration Tester

Principal Accountabilities:

The principal accountability of a Sr. Penetration Tester is to secure the data and information systems of Northwestern Mutual and its policy owners. While pen testers think like an attacker, they will always act with integrity and never abuse their privileges. All work is in service of two primary internal customers:

the Business Owners accountable for the people, processes, and technologies in the organization, and (2) the Blue team accountable for logging, monitoring, and incident response.

The Sr. Penetration Tester serves the Business Owners by identifying, assessing, and responsibly reporting all vulnerabilities discovered throughout the organization. The primary goal being a focus on risk mitigation - allowing for business continuity, but without negligent risk.

The Sr. Penetration Tester serves the Blue Team by simulating threats against which they can engineer detection rules and validate monitoring, alerting, and response capabilities. This partnership happens in an open, knowledge-sharing environment to facilitate timely detection of existing gaps and new attack techniques.

Essential Job Duties:

Penetration Testing: The Senior penetration tester will be accountable for working independently with cross-functional teams to serve as the subject matter expert in the security testing space and independently performing web, mobile, cloud, and network penetration tests in an enterprise environment.

Red Team: Accountable for assisting in the design and implementation of red team exercises including independently leading components of the exercise.

Purple Team: The Senior Penetration Tester will play an active role in the team's purple team program and activities including designing, organizing, and executing purple team engagements and automation.

Leadership: The Senior Penetration Tester is a leader within the Security Testing team with the expectation to guide and mentor more junior members. This includes overseeing the testing performed by junior testers, mentoring their technical educational activities, freely sharing knowledge and testing techniques.

Infrastructure & Automation: Accountable for building, managing, and maintaining security tools and infrastructure that support the security testing team. Focus on designing and implementing automation to aid the team in creating efficiencies for both security testing and threat simulation.

Security Research: Accountable for regularly monitoring the security community for, and researching, the latest assessment and exploit methodologies. This phase of the work is concluded by sharing the information back to the team in the form of newly written tools and/or attack techniques via informal internal training sessions.

Test Coordination: Accountable for coordinating with internal team members to ensure that scheduled tests include all information needed to perform a successful penetration test.

Reporting: Accountable for preparing and delivering the highest quality security information that comprehensively and clearly explains risk, demonstrates findings, and offers tactical and strategic recommendations to both technical and non-technical internal clients.

Communication: Effective and professional communication of a variety of topics, including technical and non-technical information, to a wide variety of internal and external customers including leadership from across the organization.

Bug Bounty: Accountable for high-level management of bug bounty program including validation of bug submissions.

Ad Hoc Incidents: Accountable for working with security architects, the security operations center, incident responders, and technology infrastructure, and development teams, as necessary.

Metrics: Accountable for working with select team members to track, monitor, and report testing results in a meaningful way so that risk-based security metrics are delivered to the enterprise.

Training: Attend training to stay current with technology and security trends. Perform other duties as assigned.

Requirements:

• Proficiency with both Windows and Linux operating systems. Including advanced command line skills.
• Thorough command of web application design principles in the areas of coding, infrastructure, middleware, etc.
• Thorough command of each of the following security assessment suites: Burp Suite, Wireshark, and tcpdump in addition to some experience with one or more adversarial simulation platform such as Cobalt Strike, Brute Ratel, Sliver, Mythic, etc.
• Thorough command of applicable frameworks including the "OWASP Top Ten" and MITRE ATT&CK.
• Thorough command of the OSI Model, web, and network protocols such as TCP, UDP and HTTP/S.
• Competency with one or more scripting/programming languages such as Python, JavaScript, Java, Ruby, Go, PowerShell, Bash, C#, C/C++, etc.
• Experience with applications hosted in Amazon Web Services (AWS) and/or Microsoft Azure, preferably within an Agile/DevOps operating model.
• Experience with Amazon Web Services (AWS) and/or Microsoft Azure platforms and the associated security implications.
• Thorough command of APIs and associated protocols, such as JSON, REST, or SOAP.
• Ability to analyze attack techniques and create custom, or repurpose existing, tooling to perform the attacks.
• Thorough understanding of cryptography controls and underlying concepts to secure data.
• Thorough command of defense-in-depth design and operational concerns.
• Strong ability to independently identify and resolve critical and complex issues through effective critical thinking skills.
• History of acting with integrity, taking pride in work, seeking to excel, being curious, and adaptable.
• Ability to maintain and strengthen relationships; ability to effectively influence and negotiate with internal and external partners.
• Proven interpersonal savvy with demonstrated tact and diplomacy.
• Strong written and verbal communication skills with the ability to interpret and fully explain the impact of vulnerabilities as well as any recommended remediation to multiple knowledge levels.

Desirable:

• One or more advanced certifications in penetration testing (e.g., GWAPT, GPEN, GMOB, Offensive Security certs).
• 5+ years' experience performing security testing activities such as web, mobile, or infrastructure/network testing.
• 5+ years' experience with one or more of the following security assessment suites: Cobalt Strike, Brute Ratel, Mythic, Sliver etc.
• 5+ years' experience with one or more scripting/programming languages such as Python, JavaScript, Java, Ruby, Go, PowerShell, Bash, C#, C/C++, etc.
• Formal software development experience preferred but not necessarily required.
• Experience automating Amazon Web Services (AWS) and/or Microsoft Azure platform infrastructure, preferably within an Agile/DevOps operating model.
• Public bug bounty profile (BugCrowd or HackerOne) with a record of bug submissions, or similar public record of coordinated bug disclosures.
• Proven people leadership skills, formal or informal, including the ability to manage small teams and small projects.
• Ability to be a leader in the security industry demonstrated by participation organizing and/or contributing to conferences by giving talks.

Experience Requirements:

• Bachelor's degree with an emphasis in Computer Science, Computer Engineering, Software Engineering, MIS, or related field.
• Highly technical and analytical hands-on experience in prior professional roles.
• 3-5 years of experience with web/mobile application and/or network penetration testing or proven capabilities in other required skills including independent security research, CTF events, bug bounty programs, etc.

Our Benefits!

• Highly competitive compensation, including annual bonus opportunities.
• Medical/Dental/Vision plans, 401(k), pension program
• Tuition reimbursement, commuter plans, and paid time off
• Extensive Professional Training Opportunities
• Excellent Work/Life Balance

#LI-Hybrid

Northwestern Mutual pays on a geographic-specific salary structure and placement in the salary range for this position will be determined by a number of factors including the skills, education, training, credentials and experience of the candidate; the scope, complexity as well as the cost of labor in the market; and other conditions of employment. At Northwestern Mutual, it is not typical for an individual to be hired at or near the top of the range for their role and compensation decisions are dependent on the facts and circumstances of each case. Please note that the salary range listed in the posting is the standard pay structure. Positions in certain locations (such as California) may provide an increase on the standard pay structure based on the location. Please click here for additional information relating to location-based pay structures.

Job Posting End Date:

The timeline for this job posting may be shortened or extended based on organizational needs

We are an equal opportunity/affirmative action employer and all qualified applicants will receive consideration for employment without regard to race, color, religion, gender identity or expression, sexual orientation, national origin, disability, age or status as a protected veteran, or any other characteristic protected by law.

If you work or would be working in California, Colorado, New York City, Washington or outside of a Corporate location, please click here for information pertaining to compensation and benefits.

We're excited about the potential people bring to Northwestern Mutual. You can grow your career here while enjoying first-class perks, benefits, and commitment to diversity and inclusion.

• Flexible work schedules
• Concierge service
• Comprehensive benefits
• Employee resource groups