Job Description:
Position Description:
Performs security assessments of applications prior to production deployment using Static Code Analysis, dynamic testing tools, and manual techniques. Assists in establishing the strategy, policy, and standards of security for cybersecurity operations. Develop custom Python scripts to automate repetitive tasks. Defends enterprise against attacks, damage, and unauthorized access to information, data, and systems. Ensures threat and vulnerability reduction, deterrence, incident response, resiliency, and recovery policies and activities are up to date. Proactively identifies vulnerabilities in proprietary applications prior to production release and remediates identified vulnerabilities to prevent real-life cyberattacks.
Primary Responsibilities:
- Performs advanced Web application source code auditing.
- Analyzes codes, writes scripts, and exploits web vulnerabilities.
- Analyzes test results, draw conclusions from results.
- Identifies vulnerabilities by performing thorough evaluations of security vulnerabilities on Web and mobile applications.
- Collaborates with application developers to mitigate risk and improve security posture.
- Performs security testing on web and mobile applications to support production releases.
- Models potential external threats by replicating the techniques and tools used by malicious attackers.
- Prepares reports on completed assessments and present results to application owners, developers, and business unit information security teams.
- Consults with operations and software development teams to ensure potential weaknesses are addressed.
- Contributes to the research and development of tools to assist in the vulnerability discovery process.
- Keeps abreast of current cybersecurity best practices and vulnerabilities.
- Conducts peer reviews to facilitate continuous improvement across the team.
Education and Experience:
Bachelor’s degree in Computer Science, Engineering, Information Technology, Information Systems, or a closely related field (or foreign education equivalent) and five (5) years of experience as a Principal, Cybersecurity Penetration Tester (or closely related occupation) performing black and white box testing to protect against cyber threats and ensure application security (web, mobile, API, and thick client).
Or, alternatively, Master’s degree in Computer Science, Engineering, Information Technology, Information Systems, or a closely related field (or foreign education equivalent) and three (3) years of experience as a Principal, Cybersecurity Penetration Tester (or closely related occupation) performing black and white box testing to protect against cyber threats and ensure application security (web, mobile, API, and thick client).
Skills and Knowledge:
Candidate must also possess:
- Demonstrated Expertise (“DE”) estimating risks on security flaws uncovered during static or dynamic analysis in line with the OWASP testing guide; conducting pen-testing on applications to uncover security vulnerabilities - Injection attacks, Server-side attacks, Privilege escalation, GraphQL batching attacks, or JWT signature manipulation attacks - using BurpSuite Professional Edition, Fiddler, Kali Linux, and SQLMap.
- DE analyzing source code for security weaknesses, writing custom scripts, exploiting security vulnerabilities, and conducting retests to determine mitigation measures implemented by development teams, through a combination of manual analysis by using BurpSuite Professional, and automated scans using GitHub Advanced Security(GHAS) and MEND.
- DE analyzing Common Vulnerability Exposure (CVE) on third party libraries, using Veracode SCA, MEND, Exploit-DB, and NVD databases; and coordinating actions associated with the dismissal or reopening of policy violation alerts related to security, licensing, and coding standards using GitHub Advanced Security (GHAS).
- DE crafting custom scripts to effectively automate labor-intensive manual tasks (logging security findings, preparing weekly status reports, verifying artifact correctness) and empower the efficient allocation of resources, enhancing the overall security assessment process, using Python or Selenium.
#PE1M2
#LI-DNI
Certifications:
Category:
Information TechnologyPlease be advised that Fidelity’s business is governed by the provisions of the Securities Exchange Act of 1934, the Investment Advisers Act of 1940, the Investment Company Act of 1940, ERISA, numerous state laws governing securities, investment and retirement-related financial activities and the rules and regulations of numerous self-regulatory organizations, including FINRA, among others. Those laws and regulations may restrict Fidelity from hiring and/or associating with individuals with certain Criminal Histories.
Apply
All fields are required.
Benefits that balance life and work
From our fully paid parent leave to our on-site health and wellness centers, our benefits support the belief that more balance you have, the better you can achieve your goals.
Company overview
Company overview
At Fidelity, we are passionate about making our financial expertise broadly accessible and effective in helping people live the lives they want. We are a privately held company that places a high degree of value in creating and nurturing a work environment that attracts the best talent and reflects our commitment to our associates. We are proud of our diverse and inclusive workplace where we respect and value our associates for their unique perspectives and experience.
Reasonable accommodations
Fidelity will reasonably accommodate applicants with disabilities who need adjustments to participate in the application or interview process. To initiate a request for an accommodation contact the HR Accommodation Team by sending an email to accommodations@fmr.com, or by calling 800-835-5099, prompt 2, option 3.
Equal opportunity employer
Fidelity Investments is an equal opportunity employer. We believe that the most effective way to attract, develop, and retain a diverse workforce is to build an enduring culture of inclusion and belonging.
Applicant screening
At Fidelity, we value honesty, integrity, and the safety of our associates and customers within a heavily regulated industry. Certain roles may require candidates to go through a preliminary credit check during the screening process. Candidates who are presented with a Fidelity offer will need to go through a background investigation and may be asked to provide additional documentation as requested. This investigation includes but is not limited to a criminal, civil litigations and regulatory review, employment, education, and credit review (role dependent). These investigations will account for 7 years or more of history, depending on the role. Where permitted by federal or state law, Fidelity will also conduct a pre-employment drug screen, which will review for the following substances: Amphetamines, THC (marijuana), cocaine, opiates, phencyclidine.