Penetration Tester
London (Greater London) Design / Civil engineering / Industrial engineering
Job description
Job Title: Penetration Tester
Reports to: Head of Security Assurance
Corporate Grade: AVP
Primary Location/s: London
About Barclays
Barclays is an international financial services provider engaged in personal banking, credit cards, corporate and investment banking and wealth management with an extensive presence in Europe, the Americas, Africa and Asia. Barclays' purpose is to help people achieve their ambitions – in the right way.
With over 300 years of history and expertise in banking, Barclays operates in over 50 countries and employs approximately 140,000 people. Barclays moves, lends, invests and protects money for customers and clients worldwide.
At Barclays, we recruit based on merit and are committed to promoting diversity throughout our organisation.
Overall purpose of role:
Global Information Security (GIS) are looking for a motivated, technically minded individual to join our application security and penetration testing team.
As a application security and penetration testing specialist you will be expected to:
· Contribute both on an individual assessment basis as well as a global strategic basis to raise the security posture across the organisation
· Identify application security vulnerabilities in a range of technologies including web and mobile through a combination of security assessment techniques: manual penetration testing, code-review, SAST, DAST, IAST etc
· Work collaboratively with development teams to proactively build security within their software delivery pipeline
· Develop security standards and guidelines for applications and systems developed at Barclays
· Disseminate specialist application security knowledge to both the security and development communities
· Innovate towards the goal of establishing novel security services and the enhancement of existing services
· Work within virtual teams of security and technical specialists to ensure quality delivery of leading solutions to our internal clients.
· Provide reports which highlight and clearly articulate vulnerabilities and weaknesses to clients in terms they understand.
Key Accountabilities and Skills required:
Security Assessment
· Support security assessment coverage across Barclays
· Work with global team and external entities to deliver Security services
· Analyse and review security issues identified
· Supplement automated assessment techniques with manual security assessment approaches
· Communicate security issues identified and mitigation/remediation options to development community
· Generation of reports and follow up on issues until closure
· Develop and deploy tools, techniques and capabilities to enhance ability to deploy, scan and assess the global estate
· Develop automation scripts to enhance and automate the process
Knowledge Sharing
· Produce and develop training material for the internal community to disseminate specialist expertise
Research and Development
· Research new and emerging threats, counter controls and technologies affecting various platforms
· Innovate in collaboration with security focused development teams to implement and enhance proprietary Barclays security technologies
· Build upon the existing service request model, processes and supporting technologies
Education and Secure Coding
· Address questions on application and information security topics
· Explain security topics at varying levels of technical levels, from high-level concepts to low-level technical details to developers
· Develop Application Security course syllabus based on target audience proficiency level
· Create training materials including demonstrations, hands-on lab and multimedia
· Engage various corporate departments (e.g. HR, Estate Management, Learning Management System etc) for training roll-out
· Develop secure development guidelines
· Manage secure development certification of developers
· Promote the awareness and importance of application security education
Risk and Control
All Barclays colleagues have to ensure that all activities and duties are carried out in full compliance with regulatory requirements, Enterprise Wide Risk Management Framework and internal Barclays Policies and Policy Standards.
Your Skills and Qualifications will include:
Critical Requirements
· Have superior time management and organizational skills to undertake multiple critical supportive and advisory tasks concurrently
· Maintain a wide breadth of penetration testing and software security skills to a significant degree of depth
· Have a superior ability to articulate technical concepts to non-technical business owners and management
· Understand the business context/significance of application security controls and penetration testing findigns
· Possess an entrepreneurial attitude to excel in loosely defined scenarios
Technical Knowledge
· Strong web application testing/penetration testing/code-review experience
· Thorough knowledge of application security assessment techniques and their relative merits, including: SAST, DAST, IAST and manual assessment
· Understanding of Application security issues, coding standards, and an ability to articulate them to developers and project managers
· Understanding of the security mechanisms associated with Applications, operating systems, networks and databases
· Awareness of emerging Application Security technologies
· Knowledge of programming languages such as: Java(J2EE/Android), C#.NET, C/++/JNI, Objective C
· Experience working with web and mobile development projects as a developer or security subject matter expert
· Wider SDL activities such as threat modelling and design review
· Familiarity with web application multi-tier architectures and operation
· Working knowledge of cryptographic concepts and familiarity with best practice application within a development environment
· Demonstrated ability to solve complex technical problems
· Able to explain security functionality from first principles
· Physical security knowledge and experience is considered benefitial but not required
Security Management
· Sharing critical knowledge between Project Managers, Service Performance Managers, Developers and Engineers
· Ability to balance business impact, cost and risk against technical criticality
· Contribute to formulation of policies and best practices for security management
· Can consult on policy guidance, interpretation and enforcement mechanisms
· Knowledgeable of the full spectrum of application control techniques
· Can describe all key IT security functions, major roles, responsibilities and their inter-dependencies
· Has contributed to the creation of technology-related security best practices and processes
· Evaluates enterprise-wide impacts and makes recommendations for the company
· Can relate new technology potential for gaining a competitive advantage in business
· Understands security operations from a people, process and technology perspective
· Understands the role and importance of robust governance models
· Understands routine IT security monitoring and administration tools
· Understands performance measurements for IT security
· Understands major internal support functions and services
· Monitors marketplace trends and experiences on security, audit and control issues
· Knowledgeable of the full spectrum of application control techniques
Control
· Knows what should be communicated, when and to whom
· Actively seeks ways to understand and mitigate new and emerging threats to mobile application security
· Able to operate in a regulated environment following rules and procedures
Delivery
· Can describe alternative problem-solving approaches and their optimal uses
· Ability to communicate with both technology and business representatives
· Ability to work concisely when under pressure or with extremely tight timescales
Time Management
· Able to shift well from task to task
· Project management
· Provision of ‘out of hours' support as and when required
Personal Development
· Understands own learning style
· Learns from mistakes or successes for future planning and development
The Benefits: Our customers deserve the best. The same goes for our employees. That's why at Barclays you'll receive a range of benefits that include a competitive salary and all the tools, technology and support you need to succeed.
Our Culture: Everything we do is shaped by the five values of Respect, Integrity, Service, Excellence and Stewardship. The values inform the foundations of our relationships with customers and clients, but they also shape how we measure and reward the performance of our employees. Simply put, success is not just about what you achieve, but about how you achieve it.
Dynamic working gives everyone at Barclays the opportunity to integrate professional and personal lives, if you have a need for flexibility then please discuss this with the hiring manager.
Barclays is an equal opportunity employer and are opposed to discrimination on any grounds. For more detailed information, please visit our dedicated Diversity and Inclusion site here .
Barclays Values & Diversity
Our common purpose is to help people achieve their ambitions – in the right way. We'll measure and reward our people, not just on commercial results, but on how they live our Values of Respect, Integrity, Service, Excellence and Stewardship and bring them to life every day. To find out more about working at Barclays and the development opportunities we offer please visit our website http://www.barclays.com/
We are an equal opportunity employer and we are opposed to discrimination on any grounds.