Lead Penetration Tester

We're the team that keeps airports moving, airlines flying smoothly, and borders open. Our tech and communication innovations are the secret behind the success of the world's air travel industry.

You'll find us at 95% of international hubs. We partner closely with over 2,500 transportation and government clients, each with their own unique needs and challenges. Our goal is to find fresh solutions and cutting-edge tech to make their operations run like clockwork. Want to be a part of something big?

Are you ready to love your job? The adventure begins right here, with you, at SITA.

PURPOSE

As a Lead Penetration Tester, part of the SITA Enterprise Information Security Office, you will assess SITA infrastructure and products to identify information security weaknesses and provide remediation strategies. You will also contribute to the automation of security testing as part of the product development lifecycle.

KEY RESPONSIBILITIES

1. Conduct authorized assessment of infrastructure and applications to proactively identify security weaknesses.
2. Verify weaknesses by leveraging attacker techniques to evaluate the difficulty and effectiveness of potential attack from various threat actors.
3. Provide comprehensive and actionable recommendations to counter the threat posed by identified security weaknesses, given the applicable threat landscape.
4. Bring an offensive mindset to the design of internal solutions and provide input to the selection of countermeasures and security controls through technical risk assessment.
5. Report findings to technical audiences (e.g.: product development teams, IT, operations), and to business management and leadership, indicating the impact to the business of verified weaknesses found.
6. Research and develop testing tools, techniques and processes.
7. Assist incident response and security threat surveillance functions to advise on current attacker tools, techniques and procedures.
8. Contribute to the continuous improvement of security processes, tools and techniques to counter threats faced by SITA and our customers.
9. Contribute to the automation of security activities as part of the DevOps lifecycle.

EXPERIENCE

1. 5-7 years' experience in at least three of the following fields:
2. Network penetration testing
3. Web and mobile application assessments
4. Cloud penetration testing (Azure, AWS,...)
5. Mastery of Unix/Linux/Windows operating systems, including bash and PowerShell, shell scripting or automation of simple tasks using Python, Ruby or Perl
6. Developing security test automation as part of a DevOps CI/CD pipeline

KNOWLEDGE & SKILLS

1. Excellent ability to think laterally and solve problems in unique ways
2. Ability to relate work to the business, understanding the impact to business processes, not just technical impact
3. Strong knowledge of attacker tools, techniques and procedures
4. Strong understanding of network technologies such as TCP/IP, routing, switching, NAT, Wireless/WiFi, etc.
5. Strong ability to research and maintain currency with the latest approaches to penetration testing, including learning new tools and technologies
6. Good understanding of security compliance frameworks (e.g. ISO/IEC 27001, PCI DSS, etc.)
7. Good understanding of common business applications (e.g. content management systems, application servers, databases, etc.) and how to leverage them in an assessment
8. Good understanding of web technologies and how they are commonly subverted (e.g. OWASP Top 10)
9. At least a basic understanding of development frameworks (.NET, Java,...)
10. Ability to remain calm and methodical under pressure

PROFESSION COMPETENCIES

1. Adversarial Thinking
2. Cloud Security Assessment
3. Vulnerability Analysis
4. Security pen-testing tool mastery
5. Threat Modeling
6. Network & Active Directory Security Testing
7. Application Security Testing
8. Privilege Escalation
9. Red Team Operations
10. Security Standards & Compliance
11. Incident Simulation & Reporting
12. Scripting & Automation
13. Risk-Based Assessment
14. Security Advisory
15. Technical Writing & Documentation

CORE COMPETENCIES

1. Ethics & Professional Integrity
2. Analytical & Critical Thinking
3. Communication
4. Creativity & Innovation
5. Resilience & Adaptability
6. Results-Oriented Execution
7. Stakeholder Influence

EDUCATION & QUALIFICATIONS

1. Masters degree in a technical discipline such as Information Security, Computer Science, Engineering, Telecommunications, Mathematics, Physics, or enough work experience to demonstrate proficiency at this level
2. Penetration Testing certification (e.g. OSCP, GPEN) is considered a strong advantage
3. Professional security certification (e.g. CISSP, CISA) is a plus

WHAT WE OFFER

We're all about diversity. We operate in 200 countries and speak 60 different languages and cultures. We're really proud of our inclusive environment. Our offices are comfortable and fun places to work, and we make sure you get to work from home too. Find out what it's like to join our team and take a step closer to your best life ever.

Flex Week: Work from home up to 2 days/week (depending on your team's needs)

Flex Day: Make your workday suit your life and plans.

Flex-Location: Take up to 30 days a year to work from any location in the world.

Employee Wellbeing: We have got you covered with our Employee Assistance Program (EAP), for you and your dependents 24/7, 365 days/year. We also offer Champion Health - a personalized platform that supports a range of wellbeing needs.

Professional Development: Level up your skills with our training platforms, including LinkedIn Learning!

Competitive Benefits: Competitive benefits that make sense with both your local market and employment status.

SITA is an Equal Opportunity Employer. We value a diverse workforce. In support of our Employment Equity Program, we encourage women, aboriginal people, members of visible minorities, and/or persons with disabilities to apply and self-identify in the application process.