iSEC Partners is hiring experienced security folk in San Franicsco!
The role is diverse and challenging, with opportunities to work in all areas of security assessment, including:
Web app pen testing, network pen testing, mobile app security, fuzzing, source code review, physical security breaches, APT-simulation, forensic analysis, IDS/IPS evasion, social engineering, red-teaming, security training, writing security tools/software, client sponsored research and more…
You will be faced with complex problem solving opportunities and hands-on practical testing on a daily basis. If you’d like to work for our office in San Francisco, we’d like to hear from you.
Are we looking for you?
Our consultants are highly skilled, multi-disciplinary and exceptionally motivated individuals - but what does that really mean? We want technology-hungry people with a passion for security - that’s right, passion! If you’re looking for a nine-to-five job, this isn’t for you. That isn’t because we ask you to work the night shift; it’s because you’ll want to work late trying to solve a problem or learning how best to attack a system. If that sounds like you, then this job is perfect for you! We are often asked by candidates ‘what kind of work will I be doing?’ Clearly there is no hard and fast rule here, but we can give you some examples of what we expect:
* All of our consultants know how to deliver a web app. security assessment using manual techniques to find critical vulns. We may sometimes use automated scanners, but we always use hands on manual testing that leverages technical knowledge, a client side proxy and a method of automated fuzzing. You should know web technologies very well, where they are weak and know how to find typical vulnerabilities!
* All of our consultants can drop into a network, compromise systems, traverse network segregation and chain vulnerabilities to gain Domain Admin or gain access to critical Linux, UNIX or other proprietary system. In general your infrastructure, protocol and networking ability should be strong and well-practiced.
* All of our consultants should be able to carry out static code analysis using manual and automated techniques in a variety of languages. We aren’t looking for you to be a production-level developer, but we are looking for you to be able to understand program flow and programming constructs in the most relevant enterprise development languages. Think of it this way, we don’t always get source code for our targets, but when we do you will need to be able to understand it enough to determine if security enforcing features are present and whether they are robust.
* All of our consultants should have a reasonable approach for ‘Blackbox’ software testing. Typically this involves understanding how to profile software for attack surface analysis, carry out fuzzing against relevant inputs (network, file etc.) and debug running processes to detect memory corruptions. While software reverse engineering could be considered a specialist ability, every consultant should be able to disassemble binaries, trace program flow, extract clear text data and recognize where encryption techniques are in use. Like to write your own tools? Then you’ll fit in well with us! Whether it’s a quick and dirty python harness or something more robust, our consultants regularly write custom tools to carry out security testing.
* All of our consultants should have knowledge and experience of testing mobile applications for (at least) iDevice and Android environments. It should be no surprise that we assess mobile applications and technologies with increasing frequency, so we expect our consultants to be able to keep up-to-date with the changes in technology and associated deficiencies for this fast paced area of IT.
* Above all else our consultants should be able to absorb new technologies and determine how to test them for vulnerabilities quickly and to maximum effect. They turn their hands to areas of security that they have not previously dealt with. Never done a wireless security assessment? With a little reading you should be able to. Never seen a mainframe in your life? With some preparation you should quickly be able to understand how they may be misconfigured. We don’t expect our consultants to be experts in everything - but we do expect them to be experts in security, turning that expertise towards any given medium as needed.
Still reading this and think it sounds like you? Good! We want to hear from you so get in touch!
WHY iSEC Partners?
We offer competitive benefits, including an employer matched 401k plan, a healthy training budget, health/dental/vision insurance and paid vacation. In addition to your work in consultancy, we encourage team members to engage in challenging, cutting edge security research and we support attendance and participation in industry conferences and community events wherever possible. Our client base will give you exposure to the biggest companies that exist, from the top financial organizations, to science and technology giants, through household names that even your Grandparents have heard about.