Senior Ethical Hacker, Applications & Cloud
Grow with the best. Join a smart, creative, and inspired team that accomplishes operational excellence. Bringing together individuals with diverse backgrounds, talents, and expertise, our 31,000 team members in over 450 locations worldwide are vital to making our Company stronger.
Your Opportunity
The Senior Ethical Hacker will conduct security assessments on web applications and cloud services by emulating real-world attacks using the Mitre Attack Framework. Their goal is to identify security weaknesses, help prevent data breaches and enhance the security posture by uncovering vulnerabilities, misconfigurations, and risks proactively before they are discovered by threat actors.
Your Key Responsibilities
Communication
- Collaborate with cross-functional teams (security, engineering, cloud and network operations).
- Create reports and communicate findings to various technical teams, architects and engineers.
- Create and communicate processes that could help engineering teams meet remediation goals.
- Create and verbally present your test findings in debrief meetings with the C-Suite or sponsors.
Cloud and Application
- Conduct **penetration tests** on cloud systems, applications and APIs to identify vulnerabilities.
- Assess cloud/application specific configurations, access controls, and encryption mechanisms.
- Validate and exploit security findings within web/thick client apps and cloud environments.
- Validate various app services, databases, Kubernetes, serverless functions, container instances, images and cloud storage blob/buckets for security issues.
Project work/Knowledge Share
- Assist/Create rules of engagement for new pen test projects.
- Create or populate content in the internal training lab so developers and security champions can stay current in offensive security with practical CTF's when time permits.
- Provide live hacking webinars for teams interested in learning by example.
- Conduct internal Red Team engagements.
- Participate in purple team engagements.
Your Capabilities and Credentials
- Minimum 5-7+ years working in some aspect of cybersecurity (Offensive Security, Red Team experience preferred).
- Proficient with manual web/cloud penetration testing without using any tools.
- Proficient writing custom attack tools in Python, PHP, Golang and Bash Scripting.
- Proficient with interception proxies and attacking manually via Burp Suite Enterprise tool.
- Proficient building/maintaining attack automation systems (Commercial or Open-Source).
- Proficient building containers and automation pipelines for attacking purposes.
- Experience combining multiple low/medium findings to weaponize and achieve a higher level.
- Comfortable working exclusively from Windows or Linux command line.
- Comfortable "living off the land" using VIM/VI/Bash/SH/Perl/VBScript/WMI/PowerShell for post exploitation and lateral movement.
- Comfortable with writing XSS attacks, System/SQL injection payloads or weaponizing binaries.
- Comfortable attacking various popular public cloud services in (Azure/AWS/GCP/Oracle).
- Comfortable presenting audit findings to a small group or C-Suite during debrief meetings.
- Comfortable taking ownership for testing actions and performing blameless post-mortems.
Preference for the following additional Skills/Certifications
- OffSec Web Expert (OSWE) – Preferred
- GIAC Web Application Penetration Tester (GWAPT)
- Burp Suite Certified Practitioner (BSCP)
- Pentester Academy Cloud Security Professional (PACSP)
- Acknowledged findings in a responsible disclosure or public, private Bug Bounty program.
- Certified Kubernetes Security Specialist (CKS)
- Terraform Associate (003)
- DevSecOps experience
Education and Experience
- Minimum 5 years relevant experience.
- Related Degree or Certificate, preferably in area of Offensive Security and Application Security
This description is not a comprehensive listing of activities, duties or responsibilities that may be required of the employee and other duties, responsibilities and activities may be assigned or may be changed at any time with or without notice.
Stantec is a place where the best and brightest come to build on each other’s talents, do exciting work, and make an impact on the world around us. Join us and redefine your personal best.