Ethical Hacker - Pen Tester

Lenovo - Atlanta, GA

Position Description:
Lenovo Data Center Group’s (DCG) Product Security Office Software Security Review Board is seeking a Sr. Product Security Test Engineer (Ethical Hacker) to provide hands-on security assessment expertise and security leadership to help maintain a high level of security in the products we sell to our customers.

We are seeking a passionate senior-level ethical hacker looking to break away from the same old, same old and into work with a broad product portfolio of diverse technologies coupled with ownership of your discoveries from findings to fixes. You’ll be part of a team assessing and securing it all – including current and under-development applications, APIs, cloud services, embedded systems, firmware, network operating systems, storage, servers, and more from Lenovo DCG and our suppliers. You’ll work with internal and external product teams, suppliers, and partners, along with our 3rd-party security partners – representing some of the best in the industry – that help us with our product security mission.

This is a new position being added to support Lenovo DCG’s growing and evolving product security assessment needs, joining an established team responsible for securing an expanding product portfolio. This position is well suited to candidates that thrive on challenges, with each day presenting opportunities for leveraging and refining your ethical hacking skills, solving new problems, learning new things, or working with new teams, suppliers, partners or technologies. This is not a role for candidates that do best when single tasking or focusing on cradle-to-grave projects. Potential exists for this position to evolve into a team lead or hybrid execution + management position for the right candidate.

Representative responsibilities include:
  • Working with global product teams to understand their products and devise appropriate security assessment approaches
  • Installing, configuring, and using products, tools, and operating systems
  • Conducting product security assessments, analyzing weaknesses, formulating mitigations or remediation measures, documenting findings, and working with global product teams to ensure proper corrective actions are implemented
  • Identifying root cause of recurring issues and working with management and the larger DCG Product Security Office team to address programmatically
  • Assessing risk and prioritizing mitigation and remediation activities
  • Serving as a security subject matter expert and technical leader to internal and external product teams, suppliers, partners, security researchers, and business leaders
  • Researching, identifying, developing, and/or customizing tools, tactics, and procedures for enhancing security assessment effectiveness
  • Staying current on threats, vulnerabilities, attack techniques, new tools, and industry trends
  • Facilitating, supporting, and managing assessments performed by our 3rd- party security partners
  • Mentoring product security test engineers
  • Supporting secure development lifecycle initiatives
  • Supporting the DCG Product Security Office and DCG Security Architectural Review Board
Position Requirements:Basic Qualifications:
  • Bachelor’s degree in information security, computer science, engineering, MIS, or similar degree programs
  • Seven-plus (7+) years of practical experience assessing and securing products that power data center and cloud environments – such as embedded systems, firmware, application software, APIs, web applications, network storage solutions, operating systems, etc.
  • Expertise in hands-on technical security assessments (e.g., penetration testing, vulnerability assessment, red teaming, etc.)
  • Deep understanding of security weaknesses, identification, exploitation, and remediation
  • Mastery of security assessment tools and helpers, such as Burp Suite Pro, curl, IDA Pro, Kali, Metasploit, Nessus, nmap, Wireshark, and similar
  • Mastery of security foundations such as authentication, hardening, least privilege, attack surface reduction, protection rings, cryptography use, static analysis, dynamic analysis, fuzzing, CVSS, CWE, OWASP/SANS/CIS Top X, etc.
  • Deep knowledge of and comfort with TCP/IP, including using and securing fundamental networking protocols such as TCP, UDP, ICMP, DNS, HTTP, HTTPS, SSH, etc.
  • Understanding and applied use of security standards such as NIST SP800-series, NIST Cybersecurity Framework, FIPS 140-2, Common Criteria, FISMA/FedRAMP, ISO 27000, PCI-DSS, CIS Benchmarks, and similar
  • Moderate programming and/or scripting skills in at least one modern programming language
Preferred Skills and Experience:
  • Reverse engineering binary code
  • Performing code reviews and reviewing the results of static analysis tools
  • Working with geo-diverse teams across different time zones
  • Strong collaboration skills over application sharing platforms and teleconferencing
  • Technical consulting background
  • Knowledge of Lenovo DCG products
  • Security certifications: CISSP, CSSLP, CEH, OSCP, or similar desired
  • Ability to install, configure, and use products, tools, and operating systems
Key Personal Traits:
  • Self-motivated and results driven, able to effectively work independently or as part of a team, able to motivate and cultivate collaborative relationships
  • A strong technical leader to internal and external teams, suppliers, partners, and security researchers, with the ability to persuade and influence
  • A critical thinker and problem solver, who is naturally curious and a consummate learner
  • A good communicator, capable of clearly explaining and documenting security findings and mitigations
  • Able to navigate sometimes contentious situations and successfully resolve conflicts with respect and professionalism
  • Adept at multi-tasking and achieving results in a high-pressure environment while adapting to fluid business demands