Oracle

Penetration Tester 4-NSC

Oracle

July 18, 2021

Job Description
JOB DESCRIPTION
Our team is tasked with delivering a corporate-wide Red Team program. Our goal is to ensure that Oracle is well-positioned to face current and emerging threats from any source.
We are looking for experienced red teamers with the enthusiasm and maturity to seek out information security risk and drive positive change in organizations. The successful candidate will be able to advise and contribute to a proactive program of campaigns based upon credible threat intelligence and real-world adversarial tactics, techniques and procedures (TTPs). You will help to strengthen our security posture and improve detection/ response capabilities through short and long-term engagements. You will be experienced at performing security assessments at all layers. You will be able to articulate and demonstrate a risk to both technical and executive stakeholders.
This is an exciting opportunity to join a motivated team delivering a global program.
RESPONSIBILITIES/ TASKS
Research emerging security threats and the latest real-world TTPs
Liaise with Threat Intelligence and Incident Management to build a risk-based proactive program
Craft campaign objectives, phases, and set up a campaign infrastructure
Conduct opensource intelligence gathering, vulnerability scanning, exploitation of vulnerable services, lateral movement, install persistence, manage C2 infrastructure
Develop payloads, scripts and tools to achieve exploitation, evasion, lateral movement
Contribute to Red Team campaigns simulating all phases of the MITRE ATT&CK framework
Maintain an accurate and comprehensive log of all campaign activities
Document security issues identified during campaigns, and author formal reports
Drive resolution and risk mitigation with service owners and data custodians
Contribute to education initiatives following successful campaigns
Develop novel tooling and techniques to enhance the team’s platform and capabilities
Assist Blue Teams with their detection, prevention and eradication strategies
Perform special security projects on an ad-hoc basis
Perform other duties as assigned
QUALIFICATIONS
Required qualifications
US Candidates: It will be an advantage if the candidate holds or is prepared to gain US Security Clearance: Oracle's commercial background investigation, plus NACLC and be willing to obtain MBI or SSBI as needed
UK Candidates: It will be an advantage if the candidate holds or is prepared to gain UK Security Check (SC) clearance
University degree from an accredited college/ university, or 8+ years equivalent experience
Professional certification: minimum OSCE/ OSWE, CREST CCT Inf/App or equivalent preferred
Experience in Information Security and technical aspects thereof, CISSP certification preferred
Prior experience with systems development, systems administration, or network administration, 5 years minimum preferred
Previous hands-on experience in automated and manual penetration testing (infrastructure and web app/ service), 10 years minimum preferred
Previous hands-on experience of advanced red teaming techniques, 5 years minimum preferred
Scripting/ programming experience (BASH, PowerShell, Python, C, Assembler) is an advantage
Knowledge of Information Security standards and access controls such as ISO27001/2 and PCI DSS
Comprehensive knowledge of MITRE ATT&CK phases and TTPs
Strong organizational skills and detail-oriented, able to handle concurrent assignments
Strong presentation, written and verbal communication skills in English
Strong negotiation skills
Self-starter and self-sufficient, doesn’t need to be micro-managed
Excellent team player, willing to share knowledge and skills with peers
Performs penetration testing and attack simulations on business-critical infrastructure including internal servers, networks and applications to identify and resolve security flaws.
Performs penetration testing and attack simulations for business-critical infrastructure including internal servers, networks and applications to identify and resolve security flaws. May also lead and supervise others competing in these tasks.
Self-scoping assessments.
Researches and experiments with various methods attackers could use to exploit information security vulnerabilities.
Develops standard methodologies and techniques for conducting penetration testing, including developing standard tool-sets and automating testing.
Oversees and directs security testing activities within specific Oracle Lines of Businesses.
Completes threat assessment reports that outline penetration test findings and presents findings to management.
Verifies and automates exploits by developing scripts for colleagues to utilize.
Minimum 8 years combined experience from at least three of the following: security testing, systems development, systems administration, network administration, scripting, and security testing automation required.
Preferred but not required qualifications include:
BS or MS in Computer Science, Computer Security or Computer Engineering.
Holds relevant industry certifications such as OSCP/ CREST CRT, CREST CCT Inf/App, OSCE, CISSP, GSEC, GPEN, GCFW, GWAPT, GAWN or equivalent.
Has Common Vulnerabilities and Exposures (CVEs).
Performs penetration testing and attack simulations on business critical infrastructure including internal servers, networks and applications to identify and resolve security flaws.
Performs penetration testing and attack simulations for business critical infrastructure including internal servers, networks and applications to identify and resolve security flaws. May also lead and supervise others competing these tasks.
Self-scoping assessments.
Researches and experiments with various methods attackers could use to exploit information security vulnerabilities.
Develops standard methodologies and techniques for conducting penetration testing, including developing standard tool-sets and automating testing.
Oversees and directs security testing activities within specific Oracle Lines of Businesses.
Completes threat assessment reports that outline penetration test findings and presents findings to management.
Verifies and automates exploits by developing scripts for colleagues to utilize.
Minimum 8 years combined experience from at least three of the following: security testing, systems development, systems administration, network administration, scripting, and security testing automation required.
Preferred but not required qualifications include:
BS or MS in Computer Science, Computer Security or Computer Engineering.
Holds relevant industry certifications such as OSCP/ CREST CRT, CREST CCT Inf/App, OSCE, CISSP, GSEC, GPEN, GCFW, GWAPT, GAWN or equivalent.
Has Common Vulnerabilities and Exposures (CVEs).
Has contributed to an open source project.If you are a Colorado resident, Please
Contact us
or Email us at oracle-salary-inquiries_us@oracle.com to receive compensation and benefits information for this role. Please include this Job ID: 114178 in the subject line of the email.
Innovation starts with inclusion at Oracle. We are committed to creating a workplace where all kinds of people can be themselves and do their best work. It’s when everyone’s voice is heard and valued, that we are inspired to go beyond what’s been done before. That’s why we need people with diverse backgrounds, beliefs, and abilities to help us create the future, and are proud to be an affirmative-action equal opportunity employer.
Oracle is an Equal Employment Opportunity Employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, national origin, sexual orientation, gender identity, disability and protected veterans status, age, or any other characteristic protected by law. Oracle will consider for employment qualified applicants with arrest and conviction records pursuant to applicable law.