Senior Penetration Tester

Job Title: Senior Penetration Tester
Reports to: Threat and Vulnerability Management Lead
Location: Los Angeles, CA - Hybrid Remote (Must be a CA, UT, TX, MD, PA, VA, IN, WA, or District of Columbia resident and have the ability to come into the office as needed)
Job Class: Exempt
About SHEIN Technology
SHEIN Global Security and Risk Management (GSRM) is a global security organization that oversees security infrastructure, risk management, data privacy, governance and regulatory compliance across SHEIN's global footprint. It is composed of a team of security professionals, innovators and thought leaders that have had decades of global security experience, led large scale transformations, and served in Fortune 500 executive roles.
Here, innovation isn't simply about protecting and defending our company. We develop solutions that are practical today and scalable tomorrow; and we create collaborative teams dedicated to innovation across each of our businesses to share our common values and vision.
Position Summary:
As the Senior Penetration Testing for SHEIN Technology, you will collaborate with and manage a team with the responsibility of validating the security posture of SHEIN's Infrastructure and Application. You will help validate security controls around web, cloud, mobile applications and associated network and backend resources for SHEIN Technology. Work with a team of security testing professionals to enhance existing service offerings and security testing capabilities and conduct hands on technical testing focused on identification of vulnerabilities and mis-configurations in cloud environments and web/mobile applications.
Ideal Candidate:

• Will have in-depth of knowledge in secure coding principles, security architecture, hardening of operating systems, networking protocols, firewalls, databases and middleware applications, forensics, scripting and programing. You are expected to continuously improve your tradecraft through research and stay up to date with the continuously evolving threat landscape and attack techniques, tactics, and procedures.
• Act as the primary lead for cloud, web and mobile application security testing.
• Interface directly with executive leadership and technical staff to lead Penetration Testing engagements.
• Plan, coordinate, authorize, and execute threat intel informed penetration testing engagements; both short and long duration. Documenting your methodologies, and creating detailed reports about your findings.
• Create new testing methods to identify vulnerabilities.
• Collaborate with various stakeholders and teams e.g., Threat Intel, Blue Team, Vulnerability Management, Security Engineering etc.
• Conduct hands on web/mobile/cloud penetration testing and be well versed in full exploitation within multiple environments, including Windows, *nix and MacOS environments.
• Generate report findings, develop risk-appropriate and pragmatic recommendations to correct identified flaws, vulnerabilities and misconfigurations, and track implementation through to completion.
• Communicate findings and strategy effectively to client stakeholders, including technical staff, executive leadership, and legal counsel.
• Define and maintain a set of Standard Operating Procedures (SOP), Rules of Engagement (ROE), Methodologies and checklist for various Penetration Testing domains.
• Utilize attacker tools, tactics, and procedures to perform analysis and identify vulnerabilities.
• Procure, develop, maintain and refine an inventory of security tools needed for various operations.
• Assist in analyzing crowd-sourced public vulnerability via our disclosure program to direct testing efforts.

Qualifications:

• B.S. or M.S. in Computer Science or relevant certification.
• 5+ years of industry experience in:
• Well-rounded background in Penetration Testing (i.e., Cloud, Web-application, mobile application and various network ecosystems)
• Performing, overseeing, improving and providing feedback on the Penetration Testing services offered
• Designing a program and creating Standard Operating Procedures, Rules of Engagement, Testing Methodologies etc.
• Conducting advanced penetration testing exercises (Network, Web Application, Mobile and Cloud)
• Ability to think holistically, drive large scale efforts as a SME, promote automation for efficiency and coverage
• Experience working with regulatory compliance efforts e.g., PCI etc.
• Experience in at least one coding language: C/C++, C#, Python, Perl, Ruby, Bash, Java, HTML, Javascript, PHP, ASP, ASPX.
• Experience in various Operating Systems: Windows, *nix, MacOS, Android, iOS.
• Experience with tools like Burp Suite Pro, SQLMap, Frida, Objection, Android Studio, XCode, MobSF, Drozer.
• Knowledge of public cloud platforms (preferably OCI, Azure and AWS) and frameworks like OWASP Top 10 Web and Mobile.
• Experience with common testing frameworks, such as the MITRE ATT$CK framework
• Experience with tools used to perform Dynamic Application Security Testing (DAST) or Static Application Security Testing (SAST)

Preferred Qualification:

• Possess one of the following certifications:
• Global Information Assurance Certification (GIAC) Penetration Tester (GPEN)
• CompTIA PenTest+
• Information Assurance Certification Review Board (IACRB) Certified Penetration Tester (CPT)
• EC-Council (ECC) Certified Ethical Hacker (Master) (C|EH [Master])
• GIAC Web Application Penetration Tester (GWAPT)
• GIAC Exploit Researcher and Advanced Penetration Tester (GXPN)
• GIAC Mobile Device Security Analyst (GMOB)
• GIAC Assessing and Auditing Wireless Networks (GAWN)
• GIAC Cloud Penetration Tester (GCPN)
• Certified Mobile and Web Application Penetration Tester (CMWAPT)
• Certified Expert Penetration Tester (CEPT)
• Certified Red Team Operations Professional (CRTOP)
• Certified Reverse Engineering Analyst (CREA)
• Offensive Security
• Offensive Security Certified Professional (OSCP)
• Offensive Security Experienced Penetration Tester (OSEP)
• Offensive Security Wireless Attacks (OSWA)
• Offensive Security Web Expert (OSWE)
• Offensive Security Exploitation Expert (OSEE)
• Certified Penetration Tester (CPENT)
• Licensed Penetration Tester (LPT)

• Contributions to the security community such as research, public CVEs, bug-bounty recognitions, open-source projects, blogs, publications, speaking at conferences etc.
• Experience with infrastructure automation, server administration, TCP/IP networking, vulnerability identification and exploitation, vulnerability exploit code development, offensive security operation coordination and communication, vulnerability tracking and remediation, cross functional collaborations
• Experience working with security technology and products such as Firewalls, IDS, IPS, VPC, CSPM
• Having a good understanding of Cloud vulnerabilities and how to address them
• Effective communicator with experience of working in a fast-paced dynamic environment, where prioritization is key to success
Pay: $82,800.00 min - $129,300.00 max. annually.