Duke Health Technology Solutions is a robust, specialized division of Duke University Health System dedicated to the development and management of enterprise IT systems. A 2018 'Most Wired' health system, Duke is nationally recognized for IT and information management as the first healthcare system to achieve the Davies Award – highest honor by the Healthcare Information and Management Systems Society (HIMSS) – for inpatient, ambulatory and analytics health information technology capabilities. Our employees are among the top-skilled IT experts in the Triangle and partner with leading scholars, clinicians, and researchers across Duke University and Duke Health to develop innovative technologies that support our mission of delivering tomorrow's healthcare today.
The Penetration Testing and Vulnerability Management team at Duke Health is seeking an Information Security Analyst – Penetration Tester to support web application and mobile application security. This team is an important part of the overall Information Security Office, whose mission is to test and measure the security posture of all in-scope assets, applications, and services ensuring that all vulnerabilities are responded to and addressed. The team is small but made up of talented career penetration testers and vulnerability analysts, always available for support and assistance. If you are a passionate and driven penetration tester, who is looking for a challenging career opportunity, then please apply and help drive the Duke Health penetration testing program.
In this role, you will work with Information Security Office (ISO) team members as well as application owners to identify and mitigate security vulnerabilities in applications identified through testing. Communication with business owners, application owners, security teams, and development partners is critical in this role. You will also act as an application security SME for the development and security communities across Duke.
Information Security Analyst - Penetration Tester Responsibilities
Perform Web application and mobile application penetration testing
Deliver some network, service, or host-based security posture testing
Manual penetration testing of applications to identify vulnerabilities across different categories like input and data validation, authentication, authorization, data access, session management, error handling, logging, encryption, and confidentiality
Conduct Dynamic and Static Application Security Testing (SAST & DAST)
Enhance and improve testing tools, scripts and methodologies as needed
Assist in all scoping, scheduling, and logistics for each penetration test and security assessment
Communicate and coordinate daily project activities within the project team and assure that priorities are developed and known
Build penetration test and vulnerability assessment reports detailing exposures that were identified, rate the severity of the findings, and provide recommendations to mitigate any exposures or known vulnerabilities
Train development teams on vulnerabilities, ease of exploitation, impact, security requirements and remedies for individual issues
Remain up to date on emerging vulnerabilities and exploit techniques to ensure no such vulnerabilities exist across the Duke Health application inventory
Design, maintain, and enhance testing scripts, tools, and processes
Continually improve application security assessment processes to keep up with the industry standard methodologies
Provide penetration testing service offering leadership
Maintain an overall inventory of applications, owners, and testing results
Bachelor's degree in a related technical field, or five years of equivalent technical experience required.
3+ years of information security experience
2+ years of Application Security Testing experience
2+ years of information security penetration tools experience
Desired Skills and Qualifications
Industry certification like CREST, Offensive Security, SANS Institute
Thorough understanding of OWASP, SANS, PTES frameworks and common vulnerabilities and attack vectors
Port, protocol, and service enumeration: e.g. Wireshark, Rumble, NMap, and Masscan
Vulnerability scanning: e.g. Tenable Nessus, Nexpose, Acunetix WVS, NetSparker
Web and Mobile Application testing: e.g. Burp Suite, SoapUI, ZAP, Nikto, MobSF, Veracode, Dirbuster, SQLMap, SQLNinja, Frida, Objection
Penetration testing Linux distros: e.g. Backbox, Kali, Matrix
Ability to manage complex issues and develop potential solutions
Excellent verbal and written communication skills
Experience working in a large enterprise environment
Ability to manage multiple and competing priorities
Ability to take on a high level of responsibility, initiative, and accountability
Ability to work with limited supervision
Good attention to detail and accuracy skills
Knowledge and understanding of information security industry standards and government regulations
Strong analytical skills with high attention to detail and accuracy
Strong collaboration and partnering skills
Duke is an Affirmative Action/Equal Opportunity Employer committed to providing employment opportunity without regard to an individual's age, color, disability, gender, gender expression, gender identity, genetic information, national origin, race, religion, sex, sexual orientation, or veteran status.
Duke aspires to create a community built on collaboration, innovation, creativity, and belonging. Our collective success depends on the robust exchange of ideas—an exchange that is best when the rich diversity of our perspectives, backgrounds, and experiences flourishes. To achieve this exchange, it is essential that all members of the community feel secure and welcome, that the contributions of all individuals are respected, and that all voices are heard. All members of our community have a responsibility to uphold these values.
Essential Physical Job Functions: Certain jobs at Duke University and Duke University Health System may include essentialjob functions that require specific physical and/or mental abilities. Additional information and provision for requests for reasonable accommodation will be provided by each hiring department.
As a world-class academic and health care system, Duke Health strives to transform medicine and health locally and globally through innovative scientific research, rapid translation of breakthrough discoveries, educating future clinical and scientific leaders, advocating and practicing evidence-based medicine to improve community health, and leading efforts to eliminate health inequalities.