Full Job Description
Location Name: Findlay, OH or San Antonio, TX
Job/Requisition ID: 59870
Location Address: 539 S Main St, Findlay, OH, United States (US), 45840
Education Level: Bachelor's Desired
Relevant Experience Level: Mid Career (4-10 Years)
Employee Group: Regular - Full Time
Employee Subgroup: Salaried Exempt
The Vulnerability/Penetration Tester is a highly critical role tasked with providing assurance for the security posture of the enterprise through discovering, assessing, reporting, and tracking the remediation of security vulnerabilities. The Vulnerability/Penetration Tester will perform assessments within IT and OT environments. This position will identify where systems/networks deviate from acceptable security configurations. The role is given structured opportunities to expose system vulnerabilities achieved through active evaluations (penetration tests and/or vulnerability assessments) using specialty tools and techniques that simulate adversarial techniques. These personnel are also known as vulnerability assessors, vulnerability analysts or penetration testers.
Key Responsibilities and Requirements:
Develop test procedures and/or document recommendations for test plan modifications that improve validation of cybersecurity controls. Test procedures may cover a wide range of technically diverse such as but no limited to IP network discovery, password length and complexity requirements and vulnerability exploitation.
Knowledge of APT TTPs and how to replicate their attack methodology.
Ability to work with publicly available exploits and PoC code.
Write penetration testing rules of engagements, test plans, standard operating procedures and reports.
Thoroughly document exploit chain/proof of concept scenarios.
Research and remain up-to-date with new threats and adversary emulation methodologies.
Expertise in testing web applications for common web application security vulnerabilities including input validation vulnerabilities, broken access controls, session management vulnerabilities, cross-site scripting issues, SQL injection and web server configuration issues.
Hands-on expertise with commercial and open-source cyber security tools such as proxies, port scanners, vulnerability scanners, exploit frameworks (ex: Burp Suite, Nmap, Metasploit, Cobalt Strike, Nexpose/IVM).
Develop comprehensive and accurate reports and presentations for both technical and executive audiences.
Extensive knowledge of MITRE ATT&CK Framework.
Penetration testing experience with web applications, operating systems, network protocols, wireless, mobile, databases and middleware.
Must be willing to travel as needed (10%)
The successful Vulnerability/Penetration Tester:
Verifies if vulnerabilities are actual threats or false-positives.
Creates plans to remediate and track vulnerabilities with system owners.
Stays abreast of the latest security threat and vulnerabilities.
Maintains a positive, customer-centric attitude.
Has strong problem solving and organization skills.
Builds and maintains excellent relationships with internal customers.
Is a self-starter and able to regularly produce results with minimum supervision.
Has strong presentation and communication skills
Bachelor’s degree in technical field (Computer Science, Information Systems, Information Systems Security) or equivalent background and experience
Experience in security engineering, system and network security, authentication and security protocols, applied cryptography, and application security
Network and web-related protocol knowledge (e.g., TCP/IP, UDP, IPSEC, HTTP, HTTPS, routing protocols)
Understanding security fundamentals and common vulnerabilities such OWASP Top Ten and CIS Critical Security Controls.
4-6 years of experience in a technical, professional role for an enterprise, with a minimum of 3 years in a cybersecurity vulnerability/penetration tester position.
Knowledge of OWASP, MITRE ATT&CK, and CIS Critical Security Controls
Ability to understand information security risks associated with vulnerability testing, patch management, and secure configuration management.
Experience with common commercial and open source penetration tools such as Kali Linux, Burp Suite Pro, Metasploit and password cracking tools.
The following certifications are strongly preferred.
Offensive Security Certified Professional (OSCP)
Certified Penetration Tester (GPEN)
Web Application Penetration Tester (GWAPT)
Certified Information Systems Security Professional (CISSP)
About Marathon Petroleum Corporation
Marathon Petroleum Corporation is a leading, integrated, downstream energy company headquartered in Findlay, Ohio. The company operates the nation’s largest refining system with more than 3 million barrels per day of crude oil capacity across 16 refineries. Marathon Petroleum's marketing system includes branded locations across the United States, including Marathon branded outlets. Speedway LLC, a Marathon Petroleum subsidiary, owns and operates retail convenience stores across the United States. MPC also owns the general partner and majority limited partner interest in MPLX LP, a midstream company which owns and operates gathering, processing, and fractionation assets, as well as crude oil and light product transportation and logistics infrastructure.
Travel Expected: Up to 10%
Marathon Petroleum Company LP is an Equal Opportunity Employer and gives consideration for employment to qualified applicants without discrimination on the basis of race, color, religion, creed, sex, gender (including pregnancy, childbirth, breastfeeding or related medical conditions), sexual orientation, gender identity, gender expression, age, mental or physical disability, medical condition or AIDS/HIV status, ancestry, national origin, genetic information, military, veteran status, marital status, citizenship or any other status protected by applicable federal, state, or local laws. If you would like more information about your EEO rights as an applicant, click here.
If you need a reasonable accommodation for any part of the application process at Marathon Petroleum LP, please contact our Human Resources Department at email@example.com. Please specify the reasonable accommodation you are requesting, along with the job posting number in which you may be interested. A Human Resources representative will review your request and contact you to discuss a reasonable accommodation.
Equal Opportunity Employer: Veteran / Disability
Marathon Petroleum Company LP participates in the E-Verify program in some states in which it operates (including AL, AZ, GA, MS, NC, SC, TN, and UT). For more information before proceeding, please see details in English or Spanish. Right to Work Statement English or Spanish.