Penetration Tester

About Business line/Function:

ITG provides testing services for the BNP Paribas Group. The Security testing team is responsible to execute SAST, Penetration Tests (Black or Gray Box) for the Web and Mobile applications pertaining to the group

Responsibilities

Direct Responsibilities

• To perform Penetration testing (Gray Box and/or Black Box) for Web applications, Mobile, API, and thick client applications.
• Hands-on mobile penetration tester with strong knowledge and experience in Android and iOS application security testing (both static and dynamic), responsible for discovering, validating and reporting security issues in mobile applications.
• Perform Static analysis (SAST) and Dynamic analysis (DAST) on Android APKs and iOS IPA to identify insecure storage, hardcoded secrets, insecure configurations, runtime hooking, parameter tampering etc
• Conduct reverse engineering and protection bypass on mobile applications including decompiling /inspecting binaries, analyzing native libraries (.so/.dylib) and bypassing client-side protections (root / jailbreak detection, SSL pinning, obfuscation, tamper checks etc.) using tools like Frida, objection magisk, cydia/selio/zebra and Xposed.
• Strong research knowledge and should be updated with evolving mobile threats and industry standard (OWASP MASVS/MASTG)
• To understand the applications security requirements and identify & document the scope of the test.
• Ensure execution of the documented security scenarios for the application under test.
• Document and report all findings.
• Collaborate with the developers to help them understand the vulnerabilities reported in application.
• Escalate issues to the local management and onshore stakeholders in case it affects the testing progress.
• Ensure processes for the project is followed for the assessments.
• Note: Mandatory requirement Mobile, Web & API Penetration Testing
• Optional: Experience in Source Code Assessment (SCA)/SAST.

Technical & Behavioral Competencies

• Clear understanding of OWASP Top 10 - application security risks
• Tools/OS: Burp Suite, OWASP ZAP, Kali Linux, mobsf, jadx, dex2jar, adb, xcode, Frida, objection, apktool, putil, otool.
• Manual Security Testing & Analysis, Security Test Designing
• Excellent Interpersonal and presentation skills
• Strong in verbal and written communication
• Good analytical skills
• Strong Time Management
• Must be flexible, independent, self-motivated.
• Team player

Specific Qualifications

CSSLP/CEH or equivalent certification preferred

Education Level: 

Bachelors degree or equivalent.

Experience Level

At least 3 years of relevant experience.