Cyber Security Engineer

About Company: Garmin Ltd. is an American multinational technology company founded in 1989 by Gary Burrell and Min Kao in Lenexa, Kansas, United States, with headquarters in Olathe, Kansas. Since 2010, the company is incorporated in Schaffhausen, Switzerland. The company specializes in GPS technology for automotive, aviation, marine, outdoor, and sport activities. At Garmin, we like to work hard and play hard. It comes easy when you work on cool products with hard-working individuals who share the same passion. We make products that are engineered on the inside for life on the outside. We do this so our customers can make the most of the time they spend pursuing their passions. We think every day is an opportunity to innovate and a chance to beat yesterday. See more at www.garmin.com.

POSITION SUMMARY:

Performing comprehensive penetration testing, vulnerability assessments, and risk analysis across Garmin’s global computer systems, products, and software covering web, API, infrastructure, mobile, and hardware security through ethical hacking engagements. Responsible for ensuring adherence to Garmin’s information security strategy, programs and best practice. Design, develop, and implement solutions and metrics to successfully integrate and monitor new information security and identity management systems with the existing architecture. In addition, deploy security policies, investigate and evaluate alerts for malicious file execution attempts, and design enhanced protocols aligned with protecting corporate wide production systems. The Cyber Security Engineer II will also lead root-cause analysis efforts to determine improvement opportunities when failures occur.

ESSENTIAL FUNCTIONS:

• Perform in-depth penetration and security assessment testing for Garmin computer systems, products, and software on a global scale

• In-depth expertise with industry trusted infrastructure and development penetration tools

• In-depth expertise with security, infrastructure, software development, and application technologies

• Proficiency with various methods of reconnaissance, information gathering including network analysis, web application analysis, database analysis

• Strong understanding of: OWASP Top 10, SANS Top 25, CWE , CVSS scoring, threat modeling, MITRE ATT&CK framework

• Secure coding practices and SDLC

• Knowledge of authentication protocols: OAuth2, JWT, SAML, Kerberos, NTLM

• Conducts regular security audits from both a logical/theoretical standpoint and a technical/hands-on standpoint

• Proficiency with various methods of threat modeling and vulnerability assessment including vulnerability scanners, password crackers, network protocol attacks

• Demonstrated proficiency with either the Python, PowerShell, Bash or Ruby programming language

• Expertise with industry-standard tools: Burp Suite Pro, Nmap, SQLMap, Nessus, Nuclei, Metasploit, CrackMapExec, BloodHound

• Familiarity with reverse engineering tools or firmware analysis is a plus

• Willingness and capability to exceed mastery of common penetration tools toward a deeper understanding of the technology that is needed to reveal vulnerabilities that standard tool proficiency does not

• Willingness to learn or experience with device hacking / reverse engineering of products and devices

• Execute red teaming tactics: Active Directory exploitation (Kerberoasting, AS-REP Roasting, DCSync, constrained delegation)

• Lateral movement, persistence, and evasion

• Command and control (C2) setup.

WHAT THE CANDIDATE WOULD DO:

• Internal/External Network Penetration Testing

• Cloud Penetration Testing

• Web Application Security Testing

• API Security Testing

• Mobile Application Security Testing

• IoT / Device Security Testing

• Desktop Application Security Testing

• Red Teaming Activities

• Demonstrating proficiency in diverse reconnaissance and information gathering methods, including network analysis, web application analysis, and database analysis.

• Possessing expertise in industry-standard security best practices and utilizing multiple techniques for penetration testing.

• Managing vulnerabilities and effectively communicating with system owners in English, exhibiting excellent communication skills.

• The desired candidate will have prior experience completing security assessments and generating reports.

OTHER RESPONSIBILITIES:

• Creating and developing security assessment solutions

• Daily administrative tasks, reporting and communication with the relevant departments in the organization

• Designs and develops complex, integrated solutions to meet business requirements or enhance performance of Garmin’s security systems

• Performs and evaluates costs analyses and vendor comparisons from small through large scale projects to ensure cost-effective and efficient operations

• Measures feasibility of various approaches and makes recommendations

• Communicate effectively regarding system operations and environment changes

• Adhere to SOX, PCI, and other regulatory requirements as dictated

• Understands and avoids potential threats and drives counter measures for IT managed systems

• Ensures that all security requirements are met or exceeded

• Provides significant contributions to defining team roadmap and priorities

• Develops reliable solutions to complex problems which require the regular use of ingenuity and creativity

• Demonstrates broad understanding of Garmin's business model, including Engineering, Operations, Finance, Sales and Marketing

• Serves as a mentor and provides guidance to less experienced IT workers

• Researches new technologies and proposes cost effective solutions

• Provides innovation within area of expertise

• Facilitates team discussions and meetings

• Recognized as an expert in assigned discipline at Garmin and applies extensive technical expertise and analysis to initiatives

• Contributes input to broader technology solutions outside of discipline

• Serves as a leader of change

• Demonstrates professional maturity through giving and receiving constructive feedback

• Conflict is addressed effectively without appreciable oversight

• Coordinates department level non-project changes

• Perform other duties as necessary

EDUCATION, EXPERIENCE, AND SKILLS REQUIRED:

• Bachelor of Science Degree in Computer Science, Information Technology, Management Information Systems, Business or another relevant field AND a minimum of 6 years relevant experience OR equivalent combination of education and relevant experience

• Outstanding academics with the demonstrated ability to apply learned knowledge

• Fluency in English is required

• Demonstrated strong and effective verbal, written, and interpersonal communication skills in a small team setting

• Must be team-oriented, possess a positive attitude and work well with others

• Driven problem solver with proven success in solving difficult problems

• Excellent time management and follow-up skills

• Consistently demonstrates quality and effectiveness in work documentation and organization

• Must be able to exploit vulnerabilities and provide actionable remediation recommendations beyond scanning capabilities

CERTIFICATIONS:

• Required: OSCP or equivalent hands-on experience

• Preferred: OSEP, OSWE, CRTP, PNPT, eWPTX, or other Red Team-focused certs