Purpose:

UPMC Corporate IT is hiring an Offensive Security Analyst-Senior to join their Offensive Security team.The team is highly collaborative. The perfect candidate will meet the requirements of the description and also be a strong communicator. Clear documentation of their work and the ability to share the information with both individual contributors who are remediating is risk as well as clear leadership updates.

This is a hybrid role that requires onsite work for offensive security responsibilities. While the majority of the work can be done remotely, there will be times when on-call rotations and evening work are necessary. This may also involve some travel to UPMC hospitals, offices, or other locations as needed. The work schedule is flexible but must be approved in advance by leadership.

Responsibilities:

• Execute infrastructure & web application penetration tests independently or as part of a team

• Create detailed engagement plans, thoroughly document findings, and recommend remediations

• Meet with various teams in support of remediation efforts, acting as a technical resource

• Act in a security consulting role with infrastructure, development, and fellow IAS teams to provide insight to attackertools, technologies and procedures TTPs

• Communicate and collaborate with partner teams, service owners, Information Security, and senior leadership toinfluence, prioritize, and drive the resolution of findings

• Support software development initiatives by working with development teams to integrate security into thedevelopment lifecycle (DevSecOps)

• Lead & support team strategy, direction, and priorities

• Support Vulnerability Assessment and SOC through troubleshooting, incident response, vulnerability analysis, andpurple teaming

• Advance strategic initiatives by influencing leadership, key stakeholders, and partnering with teams throughout UPMC

• Train and help develop Offensive Security Team operators.Performs in accordance with system-wide competencies/behaviors.Performs other duties as assigned.

• Three (3) + years of experience in penetration testing or similar offensive security role

• Three (3) + years of experience in an incident detection/response role

• Three (3) years of professional experience with security engineering practices (e.g., web application security, network security, authentication and authorization protocols, cryptography, automation, and other software security disciplines)

• 3+ years of experience with interpreted or compiled languages (e.g., Python, Ruby, C/C++, Java, .NET); ability to follow code logic in unfamiliar languages

• OSCP required

• Typically has a 4-year academic degree and 5+ years of information security or equivalent practical work experience

• Completes on-going training on-the-job, through courses, self-study, certifications and/or advanced degrees to maintain and enhance technical and business capabilities

• Hold and maintain at least one advanced penetration testing certification (OSWE, OSEP, GXPN, etc.). Knowledge of various security domains (e.g., system and network security, authentication & security protocols, cryptography, application security, incident response). Experience in developing security tooling and automation. Experience with cloud services

• Preferred Qualifications: Knowledge of/experience with mobile application penetration testing. Hold and maintain additional penetration testing certification (OSWE, OSEP, GXPN, etc.) Experience with supporting the software development lifecycle, in particular the introduction of security at various phases to support both development needs as well as security requirements. Participation in CTF competitions, CVE research, and/or Bug Bounty recognition

TOP 3 SKILLS NEEDED:

1. Penetration Testing: The candidate should have over three years of experience in penetration testing or a similar offensive security role.

2. Incident Detection/Response: The candidate should have over three years of experience in incident detection and response.

3. Security Engineering: The candidate should have professional experience with security engineering practices, including web application security, network security, authentication and authorization protocols, cryptography, and automation

MUST HAVES:

• Clear Communcation & Organization Skills: Clear Communication skills, will need to document findings and recommend remediations effectively.

• Team Player: Be able to collaborate with various teams and act as a technical resource.

• Proactive Attitude: Self Starter that is collaborative

Licensure, Certifications, and Clearances:

At least one advanced penetration testing certification (OSWE, OSEP, GXPN, etc.) is required. Additional certifications are preferred.

• Act 34

UPMC is an Equal Opportunity Employer/Disability/Veteran