Senior Penetration Tester
Company Description
ServiceNow is making the world of work, work better for people. Our cloud‑based platform and solutions deliver digital workflows that create great experiences and unlock productivity for employees and the enterprise. We're growing fast, innovating faster, and making an impact on our customers' and employees' lives in significant and important ways. With over 6,900 customers, we serve approximately 80% of the Fortune 500, and we're on the 2020 list of FORTUNE World's Most Admired Companies.®
We're looking for people who are ready to roll up their sleeves and help us build on our incredible momentum, our diverse, engaged workforce, and our purpose to make the world of work, work better.
Learn more on Life at Now blog and hear from our employees about their experiences working at ServiceNow.
Job Description
Description
Job Title: Senior Penetration Tester
Location: Remote, CA
Description:
The Senior Penetration Tester is a critical contributor to ServiceNow’s internal offensive security initiatives. The successful candidate knows how to think like an attacker, and is well versed in modern attack vectors and offensive strategy. This individual is an adept communicator, motivated and proactive.
The Senior Penetration Tester will draw from their wide breadth of career experience to perform engagements against a complex attack surface composed of varying technologies, applications and infrastructure. Faced with unfamiliar targets and technology, the candidate will adapt and quickly develop subject matter expertise; they will look for opportunities to use their programming and scripting proficiency to automate tasks.
While the scope of engagements is limited to ServiceNow systems and infrastructure, prior experience in security consulting is an asset. The ideal candidate is collaborative, and adds unique value to the team while also respecting and learning from, or nurturing the development of more junior teammates.
Duties and Responsibilities:
- Scope, coordinate, lead and execute penetration tests against ServiceNow attack surface from beginning to end.
- Planning and executing penetration tests based on themes and direction provided by the ServiceNow Red Team and senior leadership, as well as those informed by their developing knowledge of the ServiceNow environment.
- Meticulously documenting findings including all necessary information required to understand business impact, and engage with systems and infrastructure owners to facilitate remediation.
- Develop a broad and deep technical understanding of ServiceNow services and products
- Provide security leadership by communicating and collaborating across the organization with internal security teams, product engineering, IT and other teams as needed.
Qualifications
In order to be successful in this role, we are looking for someone that:
- Has 4 or more years of experience attacking and defending corporate networks.
- Demonstrated successful track record in previous penetration testing positions
- Demonstrated industry leadership, for example:
- Presented at information security conferences or events
- Developed open-source security tooling
- Other extra-curricular contributions to the security community
- Has significant experience leading and executing web application and network penetration tests across a variety of environments, working with and attacking *nix, MS Windows, and Mac OS operating systems, as well as cloud infrastructure platforms (e.g., AWS, Azure, GCP).
- Is capable of collaborating with other teams to dig deep into technical issues and help devise compensating controls where more obvious or ideal remediation approaches are infeasible.
- Is adept at communicating technical security findings across a broad spectrum of audiences including product engineering and executive leadership.
- Grasps risk management concepts as they apply to offensive security; cautiously balances and avoids unnecessary introduction of risk during engagements.
- Is comfortable working both independently and as part of a team to execute penetration testing engagements; and able to efficiently manage time and resources across multiple tasks.
- Is very comfortable using standard industry tools such as Nessus, Qualys, Burp, Nmap, Metasploit etc. as well as quickly getting up to speed on the latest attack tool/technique. Understands what tools and attacks are doing “under the hood”, and is not intimidated by the idea of extending their functionality or writing their own tools.
- Has proficiency with scripting and programming languages, for example:
- C#, C, Java, JavaScript, Objective C, Python, Rust, Go, bash and PowerShell.
- Can use their creativity to discover vulnerabilities in systems and infrastructure that commoditized security testing would miss.
- Has a deep interest in information security and problem solving; and can potentially draw inspiration and insight from previous career experience or non-attack focused interests such as:
- programming, reverse engineering, forensics, CTFs, quilting, etc.
Additional Information
ServiceNow is an Equal Employment Opportunity Employer. All qualified applicants will receive consideration for employment without regard to race, color, creed, religion, sex, sexual orientation, national origin or nationality, ancestry, age, disability, gender identity or expression, marital status, veteran status or any other category protected by law.
If you are an individual with a disability and require a reasonable accommodation to complete any part of the application process, or are limited in the ability or unable to access or use this online application process and need an alternative method for applying, you may contact us at +1 (408) 501-8550, or [email protected] for assistance.
For positions requiring access to technical data subject to export control regulations, including Export Administration Regulations (EAR), ServiceNow may have to obtain export licensing approval from the U.S. Government for certain individuals. All employment is contingent upon ServiceNow obtaining any export license or other approval that may be required by the U.S. Government.