Information Security Analyst - Penetration Tester

Information Security Analyst - Penetration Tester

Job #:

req22670

Organization:

World Bank

Sector:

Information Technology

Grade:

GE

Term Duration:

3 years 0 months

Recruitment Type:

Local Recruitment

Location:

Washington, DC,United States

Required Language(s):

English

Preferred Language(s):

Closing Date:

5/26/2023 (MM/DD/YYYY) at 11:59pm UTC

Description

Do you want to build a career that is truly worthwhile? Working at the World Bank Group provides a unique opportunity for you to help our clients solve their greatest development challenges. The World Bank Group is one of the largest sources of funding and knowledge for developing countries; a unique global partnership of five institutions dedicated to ending extreme poverty, increasing shared prosperity and promoting sustainable development. With 189 member countries and more than 120 offices worldwide, we work with public and private sector partners, investing in groundbreaking projects and using data, research, and technology to develop solutions to the most urgent global challenges. For more information, visit www.worldbank.org

ITS Vice Presidency Context:

Information and Technology Solutions (ITS) enables the WBG to achieve its mission of ending extreme poverty and promote shared prosperity in a sustainable way by delivering transformative information and technologies to its staff working in over 150 locations. Our vision is to transform how the Bank Group accomplishes its mission through information and technology. In this fast-paced, ever-changing world, the formulation and implementation of the ITS strategy is an ongoing, iterative process of learning and adaptation developed through extensive consultations with business partners throughout the World Bank Group.

ITS shapes its strategy in response to changing business priorities and leverages new technologies to achieve three high-level business outcomes: business enablement, by providing Bank Group units with innovative digital tools and technologies to transform how they deliver value for their clients; empowerment & effectiveness, by ensuring that all Bank Group staff are connected, able to find information, and productive to accelerate the delivery of development solutions globally; and resilience, by equipping the Bank Group to provide risk-based cybersecurity and robust data protection for a global network and a growing cloud platform.

Implementation of the strategy is guided by three core principles. The first is to deliver solutions for business partners that are customer-centric, innovative, and transformative. The second is to provide the Bank Group with value for money with selective and standard technologies. The third principle is to excel at the basics by providing a high performing, robust, and resilient IT environment for the organization.

Unit Context

The ITS Information Security and Risk Management (ITSSR) unit, headed by the Chief Information Security Officer (CISO), is responsible for providing leadership in managing the functions and activities of information security and risk across the World Bank Group, enabling the achievement of WBG's business objectives. ITSSR enables and facilitates a risk aware culture, ensures that WBG information assets are protected in an effective, efficient, and balanced manner; and IT security and risk management efforts throughout the World Bank Group are coordinated and aligned to the Bank's business and IT strategy. ITSSR establishes and maintains the World Bank Group's IT and InfoSec policies and standards; develops and engineers the WBG's information security plans and solutions; responds to security incidents; and ensures that the information risks are identified, assessed, and managed in consistent with the overall risk management approach and with the established appetite and tolerance.

We provide a meaningful, open, and collaborative environment. We have many interesting problems to solve, providing you an opportunity to develop your skills while contributing to the mission of the bank. We value teamwork, openness, curiosity, and persistence.

Roles & Responsibilities:

Seeking a talented individual, passionate about cyber security and motivated to join our security engineering team as a penetration tester / red team member.

The Information Security Analyst - Penetration Tester will have overall responsibilities for maintaining hands-on expertise with advanced attacker tactics, techniques and procedures (TTPs), for continuously assessing the strength of WBG systems, applications and control environment, and for collaborating with others team members for remediation and additional validation.

The primary responsibilities include, but are not limited to:

• Propose, plan, and execute penetration testing and ethical hacking exercises in a complex and technologically diverse IT environment.

• Provide accurate and detailed reporting of penetration test findings and propose solutions for vulnerability remediation.

• Perform follow-up assessments of remediated systems to validate that any issues identified have been adequately addressed.

• Design and develop custom tooling required for executing advanced attacks and evading preventative and detective controls.

• Continuously stay up to date with attacker tactics, techniques, and procedures (TTPs).

• Perform research on emerging technologies and develop red team exercises to test new software and hardware technologies being considered for adoption.

• Collaborate with World Bank Group's incident response and security engineering teams to improve detective and preventative controls.

• Work closely with the security operations center (SOC) to leverage intelligence sources, identify new threats in the wild and verify the organization's security posture against them.

• Act as one of the organization's security subject matter experts, and field advanced technical questions from other internal IT teams.

• Stay up to date on current security trends, advisories, and academic research that is relevant to World Bank Group's IT environment.

Selection Criteria

• Bachelor'sor Master's degree in Computer science with two years of relevant security testing experience, or equivalent combination of education and penetration testing experience.

• Advanced level understanding and demonstrated ability to exploit vulnerabilities in web applications, APIs and cloud services.

• Ability to craft proof-of-concept exploits and attack payloads that bypass technical defensive controls.

• Advanced understanding of cloud-based IaaS, PaaS and SaaS solutions and typical security concerns associated with them.

• Prior experience using Azure and AWS command line interpreters for complex tasks.

• Advanced level knowledge of security assessment frameworks such as Burp Suite Pro.

• Strong working knowledge of layer 2-4 networking concepts. Good understanding of how routing, DNS, and network ACLs work. Understands how and when to use network protocol analyzers such as Wireshark.

• Working knowledge of OWASP and the MITRE ATT&CK framework.

• Experience with modern application and user-aware "next-generation" firewalls, WAFs, and intrusion prevention systems is a plus.

• Practical understanding of cryptography and how it is applied in various software environments.

Additional Qualifications

• Outstanding analytical and problem-solving mindset, especially the ability to accurately define a problem and identify the root cause.

• Excellence in communicating risk and remediation requirements from assessments, both verbally and in written reports.

• Self-starter requiring minimal supervision.

• Motivated, persistent and agile. Demonstrate maturity and sound judgement.

• Highly organized and detail oriented.

World Bank Group Core Competencies

The World Bank Group offers comprehensive benefits, including a retirement plan; medical, life and disability insurance; and paid leave, including parental leave, as well as reasonable accommodations for individuals with disabilities.

We are proud to be an equal opportunity and inclusive employer with a dedicated and committed workforce, and do not discriminate based on gender, gender identity, religion, race, ethnicity, sexual orientation, or disability.

Learn more about working at the World Bank and IFC, including our values and inspiring stories.