The VMware Vulnerability Management team is responsible for proactively identifying and managing the remediation of vulnerabilities affecting VMware infrastructure and services. The Sr. Information Security Engineer is a highly technical role responsible for vulnerability detection and assessment, penetration testing, and driving vulnerability remediation. The ideal candidate will have strong experience performing vulnerability assessments and penetration tests for large enterprises. The candidate will also have deep expertise running large scale vulnerability management programs.
This position is responsible for:
Managing the end-to-end vulnerability lifecycle from discovery to closure.
Performing vulnerability assessments to identify weaknesses and countermeasures and providing timely assessment reports to key stakeholders.
Conducting attack surface reviews and recommending layered defenses to prevent exploits, detect and intercept attacks, and discover threat agents.
Performing complex security test data analysis in support of security vulnerability assessment processes, including root cause analysis.
Producing vulnerability, configuration, and coverage reporting to demonstrate assessment coverage and remediation effectiveness, designing and implementing dashboards and data visualizations for various stakeholders.
Implementing processes, capabilities, and techniques for vulnerability management and security testing.
Driving development and ongoing maintenance of vulnerability management platforms.
Monitoring vulnerability disclosure mailing lists and threat intelligence feeds to identify and triage new threats and vulnerabilities targeting VMware.
Serving as an escalation point on issues, dependencies, and risks related to vulnerability scanning and security testing.
Contributing to the strategic direction for vulnerability management and security testing capabilities at VMware.
Supporting compliance and risk management activities, recommending security controls and corrective actions to mitigate vulnerability risks.
Providing technical expertise for VMware information security policies and standards.
Developing and implementing KPI and metric reporting related to vulnerability management.
Maintaining current knowledge and understanding of the threat landscape and emerging security threats and vulnerabilities.
Maintaining a high level of confidentiality.
Required skills and experience:
Strong experience in vulnerability assessment and penetration testing.
Expert knowledge of common vulnerability frameworks (CVSS, OWASP Top 10).
Expert knowledge of system, application, and database hardening techniques and practices.
Expert knowledge of Internet security and networking protocols.
Experience with software development.
Extensive experience using vulnerability scanning tools (Nessus, Qualys, AppScan, Trustwave, Burp Suite, Nipper) and vulnerability management platforms (RiskVision, Kenna Security).
Experience using common security testing and analysis tools (Metasploit, Kali, Wireshark).
Experience managing vulnerability management and security testing for cloud services (Amazon Web Services, Microsoft Azure, Google Cloud Platform).
Strong understanding of cloud computing and security issues related to cloud environments.
Strong understanding of vulnerability management and security testing practices and methodologies.
Strong analytical skills and ability to identify advanced threats.
Scripting skills such as Python, Perl, Shell, Bash.
Ability to interact effectively at all levels of an organization, across diverse cultural and linguistic barriers, and as part of a geographically distributed team.
Ability to collaborate effectively as part of a team and work independently with minimal supervision.
Ability to quickly adapt as the external environment and organization evolves.
Ability to prioritize projects and deliverables.
Comfortable facing new challenges and changes in direction.
Self-motivated, team player, and detail oriented.
Positive and constructive attitude.
Excellent written and verbal communications.
Availability outside working hours for high priority events.
Some travel required.
Bachelor’s degree or equivalent experience.
Certifications such as GPEN, GWAPT, GXPN, GAWN, GMOB, CISSP.