Pentester and Vulnerability Mgt Engineer - Charlotte, United States - Belk, Inc. & Belk eCommerce LLC

Description

Security Engineer - Penetration Testing & Vulnerability Management

We are looking for a penetration tester/vulnerability engineer to join our team to help protect the organization from cyber threats.

As a penetration tester, you will be responsible for conducting ethical hacking activities to identify and exploit vulnerabilities in systems, networks, applications, and devices.

You will be involved in red teaming, purple teaming, and active threat-hunting exercises to simulate real-world attacks and test the effectiveness of our security controls and incident response capabilities.

You will also be expected to lead and manage vulnerability and patch management programs to ensure timely remediation of security issues.

This role is fully remote with quarterly travel to Belk, Inc. headquarters and must be worked in the ET time zone. This role will report to the Manager, Cybersecurity Operations & Incident Response.

Essential Duties and Responsibilities

Vulnerability Management

Compiling and tracking vulnerabilities and mitigation results to quantify program effectiveness.
Creating and maintaining vulnerability management policies, procedures, and training
Analyzing cyber defense policies and configurations and evaluate compliance with regulations and organizational directives.
Maintain knowledge of applicable cyber defense policies, regulations, and compliance documents related to cyber defense assessment.
Prepare reports identifying technical and procedural findings and providing recommended remediation strategies/solutions.

Perform technical (evaluation of technology) and nontechnical (evaluation of people and operations) risk and vulnerability assessments of relevant technology focus areas (e.g., container registry scanning, open-source vulnerability scanning, network/host vulnerability scanning, cloud security posture management, and source code scanning.

Analyze CIS benchmarks compliance for multiple platforms, including on-premises and cloud resources, and generate reports to achieve compliance by meeting organizational security standards.

Maintain weekly reports for work-in-progress efforts across cybersecurity operations resources.
Manage the exception process for vulnerabilities, patching, or pen-testing findings that cannot meet Belk's Standards and/or the remediation SLA.
Penetration Testing

Perform formal penetration tests on web-based applications, networks, and computer systems to include Windows environments from initiation to closure.
Threat modeling
Carry out testing of the cloud environment to expose weaknesses in security.
Determine methods that attackers could use to exploit weaknesses and logic flaws.
Perform security reviews of application designs, source code, and deployments as required, covering all types of applications (web applications, web services, mobile applications, SaaS)
Perform physical security reviews.
Participate in Security Assessments and IT auditing of networks, systems, and applications.
Use, design, and create penetration tools and tests.
Document findings for management and technical staff and recommend mitigating actions.
Required Knowledge and Skills

Proficiency in using penetration testing tools like Metasploit, Burp Suite, Nmap, Wireshark, and vulnerability scanners.
Understanding of standard network protocols, operating systems (Windows, Linux, macOS), and web technologies.
Knowledge of common web application vulnerabilities like SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF).
Familiarity with scripting languages like Python, Bash, or PowerShell to automate tasks and develop custom tools.
Solid understanding of cybersecurity principles, secure coding practices, cloud infrastructure, and network security controls.
Knowledge of common security frameworks and compliance standards, such as OWASP, PCI DSS, NIST, and MITRE ATT&CK Framework.
Strong analytical thinking and problem-solving abilities to identify vulnerabilities, analyze their impact, and recommend appropriate solutions.
Knowledge of system administration concepts, including server configuration, user, and patch management.
Excellent communication skills to communicate findings, vulnerabilities, and recommendations effectively to technical and non-technical stakeholders.
Willingness to continuously learn new tools, methodologies, and technologies in the rapidly evolving field of cybersecurity.
Understanding the retail business context to prioritize risks and align security assessments with organizational objectives is essential.
Ability to work effectively as a team, collaborate with other security professionals, and share knowledge and expertise.

General Requirements:
A bachelor's degree in computer science, Information Security, or a related field is desirable.
At least one of the following certifications: OSCP, GPEN, PNPT, PenTest+, or similar certification
3+ years of overall IT experience.
3+ years of experience in vulnerability management.
3+ years of experience in ethical hacking.
2+ years of experience in incident management.
3+ years of experience in systems management and administration is desireable

#LI-REMOTE

#LI-CR1

#IND3
#J-18808-Ljbffr