Job Description

Penetration Test Engineer – Product Cyber Security - We are looking for an experienced and certified Embedded and Application Penetration Tester to join our Product Cybersecurity team. In this role, you will be responsible for conducting comprehensive security assessments of our products including embedded devices, web applications, thick-client applications, and mobile applications.

ESSENTIAL DUTIES AND RESPONSIBILITIES

· Conduct comprehensive security assessments of Wabtec products, including embedded devices, IoT devices, thick client applications, mobile and web applications,

· Use penetration testing and Red Team techniques to discover and exploit vulnerabilities

· Create findings reports and communicate to stakeholders

· Perform compliance testing of embedded systems with respect to IEC-62443-4-2 standards

· Explore new ways to exploit devices by dumping and analyzing firmware (incl reverse engineering)

· Interact with and test JTAG, UART, and other hardware debug interfaces

· Provide guidance on vulnerability remediation to engineering teams

· Manage the penetration testing request process and backlog/pipeline

· Recommend and implement improvements to testing processes and methodologies

· Support PSIRT and Vulnerability Disclosure processes and activities

· Promote security awareness through hacking demonstrations, CTF events ..

· Proactively perform threat hunting for any new vulnerabilities/risk associated with products and applications.

· Be up to date with cybersecurity trends and share information on new exploits, vulnerabilities to the appropriate stakeholders.

· Collaborate with cross-functional teams and stakeholders to identify and mitigate security risks.

QUALIFICATIONS & SKILLS:

· Bachelor's degree in computer science, cybersecurity, or a related field

· 4-6 years of experience in web, network and embedded/IoT applications penetration testing

· Strong expertise in various penetration testing techniques and attack frameworks such as MITRE ATTCK, PTES standards, fuzz testing, brute force attacks, OWASP top 10 tests, and more

· Hands-on experience with penetration testing tools including open-source tools, such as Metasploit and the Kali Linux tool set, Nessus, Qualys guard, nmap, Wireshark and Burp Suite etc.

· Demonstrate strong manual penetration testing skills and techniques that are required besides automated tools and frameworks

· Good understanding of embedded systems security testing including firmware security, secure configuration analysis, secure boot, physical port testing (USB, serial, CAN, wireless, etc.,)

· Knowledge of the secure SDLC and vulnerability/risk lifecycle

· Knowledge of common vulnerability frameworks such as CVSS, and OWASP top 10

· Experience with hardware debug tools and test equipment

· Solid understanding of network security and penetration testing methodologies

· Strong problem-solving and critical thinking skills

· Excellent communication and report writing abilities

· Certification in a relevant area such as OSCP, OSWP, GPEN, CPTC, or CPTE is highly desired

· Excellent communication and presentation skills

· Ability to collaborate effectively as part of a global cross functional team, working independently with minimal supervision.