Senior Penetration Test Analyst
Senior Penetration Test Analyst-HOP04037 Working at Cargill is an opportunity to thrive—a place to develop your career to the fullest while engaging in meaningful work that makes a positive impact around the globe. You will be proud to work for a company with a strong history of ethics and a purpose of nourishing people. We offer a diverse, supportive environment where you will grow personally and professionally as you learn from some of the most talented people in your field. With 150 years of experience Cargill provides food, agriculture, financial and industrial products and services to the world. We have 150,000 employees in 70 countries who are committed to feeding the world in a responsible way, reducing environmental impact and improving the communities where we live and work. Learn more at www.cargill.com.
The primary role of the Technology Governance, Risk & Control (TGRC) Senior Penetration Tester is in the preparation, execution, and reporting of advanced tests that assess the resiliency, integrity and security of Cargill and 3rd party solutions. This role will proactively identify security vulnerabilities in solutions including but not limited to: web and client/server applications, ASPs, OSPs, wired and wireless networks, IT infrastructure and data storage and will recommend mitigating actions to reduce identified risks to an acceptable level.
A solid foundation of IT Security knowledge surrounding cryptography, protocols, authentication and authorization variants, strengths and weaknesses of commonly used technologies, common mistakes or assumptions in implementation and/or development are required. This is necessary because many times tests will require the Senior Penetration Tester to be given a new technology, become an expert in the technology, more so than the implementers and/or developers in a very short period of time, methodically test and adjust mid-test - points of emphasis based on current results and report out with remediation advice included.
The Senior Penetration Tester must become an expert in all aspects of the solution undergoing testing. This entails contacting the right resources and asking the right questions to establish an accurate understanding of the threats to the business, threats to the technology, and threats to the enterprise; as well as deconstructing massive amounts of documentation and information into its pertinent parts for further investigation during the testing. This also means the Senior Penetration Tester is managing the relationship and interactions between TGRC and the customer; who could be an OSP, ASP, vendor, or internal Cargill partner.
Testing will require; specialized knowledge in various development languages, and a broad understanding of enterprise solutions and their respective component architectures. Assessments will require the use of automated and manual testing using a wide range of tools to cover highly iterative and human contextual situations. This role will require the Senior Penetration Tester to come up to speed with new technologies and testing tools quickly. This will involve a combination of purchased security assessment software, as well as a large number of open source tools and scripts that the Senior Penetration Tester must be aware of, where in reference to the latter, be able to learn how to use sometimes mid-test and fix in the event that it is not working properly.
This role will also be responsible for the creation and management of any standardized assessment processes, procedures, templates and product selection for tools and resources where applicable. This includes the management of 3rd party security consulting companies for penetration testing engagements that can't be executed as a result of resource or timing constraints. Specifically, the creation and management of end-to-end; from engagement to report-out, workflows and artifact creation and retention during penetration testing engagements must be standardized. Penetration testing machines, associated passwords for software selected, and an inventory of commonly used tools must be maintained in accordance with Technology Asset Management (TAM) requirements.
The Senior Penetration Tester will serve as a subject matter expert to the enterprise to provide real-world evidence of risks and guide prioritization. This role will work closely with other TGRC verticals where appropriate; as well as support Corporate Audit, Enterprise Architecture, and Tartan.
Create advanced test procedures to assess the confidentiality, integrity, and availability of enterprise systems
Manage penetration test execution and thoroughly document test inputs, outputs, and results.
Interpret test result data and present findings to IT and Business constituents in both technical and business relevant terms.
15% - Strategy and R&D
Provide input into the strategic direction of penetration testing, defining and implementing risk management plans and managing revisions as necessary
Serve as a consult and a subject matter expert of penetration testing of tools and resources within TGRC and business-facing
Engage with 3rd party penetration testing resources as necessary
Manage relationships with internal and external IT business resources
Security research and associated development
5% - PCI Compliance initiatives
Provide consultation to primary PCI Compliance owner for remediation and/or mitigation activities where necessary.
20% - Consultation
Provide application and infrastructure security consultation for other TGRC verticals and IT teams where necessary.
Provide mentorship and consultation to other penetration testers where necessary
Provide support to incident management as necessary
Equal Opportunity Employer, including Disability/Vet.
This position is posted internally as well as externally
- Bachelor's degree or 8 years IT experience
- 4 years of IT experience.
- 4 years of IT security experience.
- 2 years of demonstrated penetration testing experience.
- Experience using penetration testing tools including Core Impact, BackTrack, Aircrack, IKE-scan and Metasploit.
- Demonstrated working knowledge of encryption protocols, algorithms, technologies and implementations.
- Able to identify, exploit, and recommend remediation activities for technology security issues
- Understanding of secure application development and system configuration processes, methodologies and tools.
- Strong written and verbal communication with presentation skills
- Experience in vulnerability management, including testing, scanning, and patching.
- Excellent time management skills, and the ability to prioritize and multi-task.
- Ability to work efficiently and independently with minimal supervision (i.e. self-motivated and willing to stretch to meet important deadlines).
- Knowledge of IT security architecture and design (firewalls, Intrusion Detection Systems, Virtual Private Networking, virus protection technologies, vulnerability management, Data Loss Protection, Digital Rights Management, etc.)
- Knowledge of LAN/WAN design and general internetworking technologies.
- Knowledge of Windows and Unix operating systems.
- Proven record of high performance in problem solving, collaborating, planning/priority setting, timely decision making, perseverance, and a drive for results.
- Very strong, proven customer focus skills in translating risk management policies into business requirements.
- Very strong interpersonal skills in terms of effective listening, patience, composure, and conflict management.
- Ability to mentor and develop team members in key techniques, tools, and skills.
- Very strong writing and documentation skills.
- Provide policy analysis and alignment with business practices and processes.
- Ability to learn on the fly, manage through systems and common processes, and have sufficient overall intellectual horsepower to address the demands of the team.
- Exceptional teaming skills encompassing cross-functional global teams, peer relationships, informing, and understanding and appreciating differences.
- Solid communication skills encompassing inter-personal communications, persuasion and influencing skills, security communications in business terminology.
- Able to communicate effectively and authoritatively with a variety of audiences, including during a crisis.
- Ability to travel internationally up to 10%
- Ability to work non-standard hours
- One or more of the following: CISSP, GWAPT, GPEN, , GWAN, ISSEP, ISSAP or CISA.
- Experience using application and protocol fuzzing tools and processes.
- Network and remote access WAN and VPN penetration testing experience.
- Ability to design and implement security focused processes and procedures
Job Information Technology
Primary Location US-MN-Hopkins
Other Locations United States
Job Type Standard
Shift Day Job