Senior Penetration Tester

This job is no longer active!

View all jobs Booking Holdings active


View all jobs Senior Penetration Tester active on Hipo.ro

View all jobs IT Software active on Hipo.ro


Employer: Booking Holdings
Domain:
  • IT Software
  • Job type: full-time
    Job level: peste 5 years of experience
    Location:
  • BUCHAREST
  • Updated at: 01.11.2023
    Remote work: On-site
    Short company description

    Booking Holdings Romania is a Center of Excellence based in Bucharest, Romania and was created to support the increasing business demands of the Booking Holdings Brands. The Center of Excellence provides access to specialized and highly skilled talent, leading industry best practices, and collaboration opportunities across all of our Brands.

    As part of our Booking Holdings Romania team, you will have the opportunity to be a part of the world’s leading provider of online travel, with a mission of making it easier for everyone to experience the world through six-primary consumer-facing brands: Booking.com, Priceline, Agoda, KAYAK, OpenTable and Rentalcars.com.

    Requirements

    Role description
    The Senior Penetration Tester defines and leads the execution of highly technical and specialized engagements and designs new techniques of testing based on the evolution of industry best practices over time. They are both performing hands-on technical testing without requiring supervision and are coordinating teams of testers to ensure that the engagement objectives are met. They strengthen Booking’s security posture by proactively identifying vulnerabilities and security control gaps in our systems and applications. The Senior Penetration Tester provides critical input to the Senior Manager - Threat Management with the development of the security assurance strategic plan based on subject matter expertise to increase the impact and value added through this area of focus. The Senior Penetration Tester also helps further grow the security assurance area by mentoring other team members and members of other technical non-pentester communities within Booking. The Senior Penetration Tester has strong stakeholder management skills that enable effective communication of technical information to multi-level (up to CISO/CSO level), technical and non-technical audiences both within Booking and the broader Booking Holdings organization.

    Key Job Responsibilities and Duties

    Threat Modeling

    2-3 years of threat modeling experience. Familiarity with threat modeling methodologies such as STRIDE or PASTA
    Web application / API Penetration Testing

    Proficient in scripting languages such as Python, PowerShell, Bash, and Ruby and able to create scripts that can automate the security testing process, add operational efficiency or uncover new vulnerabilities.
    Create proof-of-concept exploits and scripts to demonstrate the impact of identified vulnerabilities, aiding developers in understanding the severity of security risks.
    Expert level understanding of application security concepts at both technical and procedural level
    Expert level understanding and exploitation skills for web application vulnerabilities (OWASP - SQLi, XSS, CSRF, XXE, IDOR, SSRF, etc )
    Expertise on at least one of the following DAST tools (AppScan, BurpSuite, Acunetix, Web Inspect, etc)
    Experience of creating attack trees/chains
    Experience in automating penetration testing tasks such as import API spec ( Swagger, Open API, etc ) to pentesting tools
    Understanding (technical aspects of) penetration testing and results (including scoping and organizing of pentests, use of vulnerability scanners, vulnerability management tools)
    Secure SDLC

    Ability to read code (Perl, Java, JS) and identify vulnerabilities and ability to use and modify existing code for project assignments
    Good understanding of application security tooling integration with CI/CD pipelines of applications
    Good understanding of how git works, good to have experience of Gitlab CI/CD
    Ability to provide remediation recommendations to developers
    Infrastructure and Cloud Penetration Testing

    3+ years experience of performing penetration tests for infrastructure and network
    Good understanding of kubernetes and virtualization technologies
    Expert level understanding of vulnerabilities and exploitation techniques such as RCE, buffer overflows, subdomain takeover, dns exfiltration, privilege escalation, etc)
    Hands on security experience of performing cloud security reviews for at least one of the following cloud platforms ( AWS, GCP, Azure )
    Manage Penetration Testing LabExperience of creating and managing penetration testing lab/infrastructureDesirable:

    7+ years of experience in information security
    5+ years of relevant hands-on experience in offensive security testing and engagement management
    Expertise in at least one of the following areas: (Web) application security, infrastructure and cloud security, mobile security
    Excellence in communicating business risk and remediation requirements from assessments
    Excellent stakeholder management skills
    Competent with testing frameworks and tools
    Understanding of OWASP, the MITRE ATT&CK framework and the software development lifecycle (SDLC).
    Software development experience
    Analytical and problem-solving mindset.
    Highly organized and efficient
    Experience in offensive security tactics
    Experience with using tools such as Burp Suite, AppScan, Acunetix , Zap ,Web Inspect, Metasploit, Nessus / Qualys and OSINT tools
    One or more of the following certifications: OSCP, OSCE, GPEN, GWAPT, CEH, CISSP or a similar recognized certification in their domain of expertise


    Benefits & Perks

    Contributing to a high scale, complex, world renowned company and seeing real-time impact of your work on millions of travelers worldwide
    Working in a fast-paced and performance driven culture
    Competitive compensation and benefits package and some great added perks of working at Booking
    Booking Holdings is proud to be an equal opportunity workplace and is an affirmative action employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, gender, gender identity or expression, sexual orientation, national origin, genetics, disability, age, or veteran status. We strive to move well beyond traditional equal opportunity and work to create an environment that allows everyone to thrive.

    Responsibilities

    Key Job Responsibilities and Duties

    Designs, develops, and maintains custom software tools, scripts, and automation frameworks to conduct security assessments, code reviews, and vulnerability analysis.
    Use data analysis tools or develop custom scripts to identify patterns and trends in security assessment results, enabling data-driven decision-making for security improvements.
    Defines and leads the execution of highly technical penetration tests and security assurance engagements that deliver value to Booking by independently performing hands-on, detailed technical tests without requiring supervision.
    Owns the design of new technical testing engagements to best serve the current and future needs of the organization, being able to adapt industry best practices to the local technical and cultural environment.
    Owns the responsibility to ensure that the budget allocated to pentesting activities performed by external vendors, delivers the necessary value and results in a good return on investment.
    Actively contributes to the mid- and long-term security assurance strategic plan definition by introducing domain expertise insights and ensuring the plan is effective and impactful.
    Grows the security assurance area of focus within security by understanding the current and target security posture of the business and identifying the skills and resources needed to effectively deliver on those needs.
    Mentors junior and core penetration testers, driving their career growth within this highly specialized technical craft.
    Provides deep technical expertise to the business in the following highly specialized domains:
    Threat modeling
    Web application / API penetration Testing
    Mobile application penetration testing
    Infrastructure and cloud penetration testing
    Purple team assessments
    Provides guidance and recommendations to teams, taking into account the current state of their technical environment, their future roadmap and strategy, and the risk associated with the underlying findings and vulnerabilities.
    Keeps up to date with the latest developments in vulnerabilities and threats within their domain of expertise, using this to assess the security posture of Booking to new trends and attacks
    Drives and coordinates multi-disciplined teams (including internal testers, external contractors, engagement managers) to conduct and successfully deliver pentest engagements of booking systems and services.
    Drives the reporting of penetration test outcomes by drafting, disseminating, and presenting them to technical and non-technical stakeholders at multiple levels (junior analyst to leadership team).
    Collaborates and coordinates with cross-functional technical and non-technical stakeholders within Booking.com and Booking Holdings to achieve a successful testing engagement that delivers critical security value.
    Supports the cross-brand security assurance program throughout Booking Holdings by engaging with key security personnel (CISOs to engineers)
    Mentors and trains non-pentesters, such as developers and other technical roles, in the relevant aspects of penetration testing and vulnerability identification to scale their impact across the department and Booking.
    Plan and organize any externally and internally performed security assurance activities
    Coordinate security assurance engagements executed by external testers
    Execute security assurance engagement testing
    Document and formally report the outcomes of the security assurance activities both to a technical and non-technical audience
    Align with Booking Holdings on the overall security assurance landscape for the Group
    Coordinate and support the contractual relationship and alignment with external security assurance vendors
    Align business testing needs with timely and relevant threat information and verify the organization’s security posture against them
    Perform other duties as assigned
    Research and innovate, regularly research and learn new TTPs, and apply this knowledge to update testing methodology and tools.
    Understand breach and attack simulation solutions, working with them to automate control validation and effectiveness.
    Liaise with security teams to mature prevention, detection, and response capabilities
    Mentor and support junior teammates
    Align business testing needs with timely and relevant threat information
    Define the security assurance plan, collect scope requirements, execute or facilitate the execution of the assessment and draft both technical and executive reporting
    Conduct tactical assessments that require expertise in web application security, infrastructure security and / or mobile security
    Develop and maintain tools and scripts used in penetration-testing processes
    Support vendor testing engagements as needed
    Work with teammates to consistently learn and share advanced skills and foster team excellence
    Align business testing needs with timely and relevant threat information and verify the organization’s security posture against them
    Mentor junior teammates
    Work closely with the threat management teams to leverage intelligence sources, identify new threats in the wild, and verify the organization’s security posture against them.
    Regularly research and learn new TTPs, working with teammates to assess the risk
    Understand breach and attack simulation solutions, working with them to automate control validation and effectiveness.
    Liaise with security teams to mature prevention, detection, and response capabilities
    Perform other duties as assigned.

    Other info

    Benefits & Perks

    Contributing to a high scale, complex, world renowned product and seeing real-time impact of your work on millions of travelers worldwide
    Working in a fast-paced and performance driven culture
    Technical, behavioral and interpersonal competence advancement via on-the-job opportunities, experimental projects, hackathons, conferences and active community participation
    Competitive compensation and benefits package
    Vast amounts of data to validate your ideas and the opportunity to experiment with real users


    Booking Holdings is proud to be an equal opportunity workplace and is an affirmative action employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, gender, gender identity or expression, sexual orientation, national origin, genetics, disability, age, or veteran status. We strive to move well beyond traditional equal opportunity and work to create an environment that allows everyone to thrive.

    Benefits

    • Annual bonus
    • Medical subscription
    • Medical insurance
    • Trainings
    • Courses
    • Certifications
    • Bookster subscription
    • Remote work allowance / Utilities reimbursement
    • Payment / Compensation for extra hours
    • Extra days off
    • Flexible work schedule
    • Short Fridays
    • Parties / company events
    • Laptop
    • Mobile phone
    • Parking space
    • Fun / Relax Area
    • Meal vouchers