UltimaHR 专注于为欧美企业服务,提供面向国人的远程工作机会。
要求候选人:
- 可以读写英文 可以进行基础的口语沟通。
- 不存在时差问题。国内时区即可。邮件沟通居多。
薪资:18k ~ 35k, 优秀者高不限顶。
下面是 JD ,欢迎投递简历~ zarek@ultimahr.com 联系时请注明: 来自 v2ex
职位 1: 网络安全(Web)工程师
描述
可以独立的进行 web 应用程序及其相应基础设施进行漏洞评估、渗透测试、安全代码审查和安全架构审查
工作内容
- 针对关键更改执行威胁建模练习。
- 静态和动态代码测试( code review 、手动渗透测试等)
- 复杂 web 应用程序和全局 API 中的漏洞评估
- 在开发和运营生命周期中嵌入安全性
- 软件开发过程中使用的安全工具集的实施、维护和管理。
岗位要求
要求熟悉或具备下列技术:(不用每一条都会,大部分即可)
- SQL 注入( SQLi )
- XML 外部实体( XEE )
- 服务器端请求伪造( SSRF )
- 反序列化和对象注入
- OSINT 被动和主动侦察
- 有效载荷开发
- 特权提升
- 远程代码执行( RCE )
- 跨站点脚本( CSS )
- 跨站点请求伪造( CSRF )
- 攻击计划和执行(利用面向公众的服务、社会工程等)
职位 2: 移动安全(Mobile App)工程师
描述
可以独立的执行漏洞评估、渗透测试、安全代码审查和移动应用程序及其相应基础架构的安全架构审查
工作内容
- 协助制定针对已识别结果的补救建议,以及网络和 web 应用程序渗透测试。
- 对移动应用程序和相关基础设施执行自动和手动代码审查。
- 进行移动渗透测试。
岗位要求
- 了解 Windows 和 Linux 操作系统、安全网络和相关技术(包括如何在复杂的遗留环境中部署它们)。
- 熟悉网络和服务攻击性安全测试的常用安全工具( Nmap 、Metasploit 、Kali Linux 、Nessus 、Burp Suite Pro 等)。
- Swift 、Java 、C++、单元测试、iOS 扩展( Action sharing 、消息传递、VPN )、本地化。
- 使用 Objective-C 、Swift 、Java 和 C++开发 Android 和 iOS 应用程序和 SDK 。
- Mobile App 的渗透测试。
- 良好的文档撰写能力。
- MDM 经验。
- iOS 网络通信。
职位 3: 恶意软件分析( Malware Analysis )工程师
描述
可以独立执行恶意软件分析,撰写 POC ,改进和提高产品线的效率。
工作内容
- 协助制定针对已识别结果的补救建议,以及网络和 web 应用程序渗透测试。
- 对移动应用程序和相关基础设施执行自动和手动代码审查。
- 进行移动渗透测试。
岗位要求
- 提供威胁分析,包括感染、传播、lateral movement 和爆破点(exploitation)。
- 提供攻击链分析,包括感染媒介、传播等。
- 提供事故分析和补救说明。
- 可以提取恶意模式(extract malicious patterns),并编写检测规则。
- 监控本地威胁和恶意组织(特别是那些与网络有关的恶意组织)。
英文:
1. Penetration Testing Web Applications
Description
Individuals needed for performing vulnerability assessments,penetration testing, secure code reviews and secure architecture reviews of web applications and their corresponding infrastructures
Responsibilities
- Perform threat modeling exercises for critical changes.
- Static and dynamic security testing code( review, manual penetration testing, etc.)
- Vulnerabilities assessment in complex web apps and global API
- Embed security in the development and operational lifecycle
- Implementation, maintaining and administering of security tool sets used in the software development process.
Requirements
Experience in the following:
- SQL Injection (SQLi)
- XML ExternalEntities (XEE)
- Server side Request Forgery (SSRF)
- Deserialization and Object Injection
- OSINT passive and active reconnaissance
- Payload development
- Privilege Escalation
- Remote Code Execution (RCE)
- Cross-Site Scripting(CSS)
- Cross-Site Request Forgery (CSRF)
- Attack planning and execution (exploiting public facing servicesphishing,social engineering, etc)
- Lateral Movement
- NAC bypass techniques
2. Penetration Testing in Mobile Applications
Description
Individuals needed for performing vulnerability assessmentspenetration testing, secure code reviews and secure architecturereviews of mobile applications and their corresponding infrastructures
Responsibilities
- Assist with the development of remediation recommendations for identifed findings, as well as network and web application penetration testing.
- Perform automated and manual code reviews of mobile applications and related infrastructure.
- Perform mobile penetration testing.
Requirements
Experience in the following:
- Knowledge of Windows and Linux operating systems, security networking and related technologies ( including how they are deployed in complex legacy environments).
- Experience with common security tools for offensive security testing of real-world networks and services (Nmap, Metasploit, Kali Linux, Nessus, Burp Suite Pro etc).
- Swift, Java, C++,Unit Testing, iOS extensions (action share, messaging, VPN), Localization.
- Android and iOS App and SDK development using Objective-C, Swift, Java and C++.
- Mobile application penetration testing.
- Able to document fndings in reports in an effcient manner.
- MDM Experience.
- iOS Network communications.
3. Malware Analysis
Description
Individuals needed for performing malware analysis, AV records, participation in PR engagements and quotes in local media, wherever applicable perform proof-of-concept implementations of systems, for improving and increasing the effciency of the product line.
Responsibilities
- Provide analysis for threats, including infection,propagation, lateral movement and exploitation.
- Provide analysis of the attack chain, including infection vector payload, propagation, etc.
- Provide analysis of an incident and remediation instructions.
- Extract malicious patterns from an object and write a detection rule which doesn't cause false positives.
- Monitor local threats and maior criminal groups, especially malware (including affliate networks).
requirements
Experience in the following:
- Disassemblers and debuggers (IDA Pro, Hlew, WinDbg, OllyDbg...)
- File formats and network protocols.
- Network traffc analysis tools (Wireshark, Fiddler)
- Sophisticated threats analysis - fileless attacks, ransomware, banking trojans, exploits, etc.
- Source code analysis in different programming languages.
- x86and x86-64 assembler.
- PE32/PE64fles analysis.
- Windows OS internals - memory, threads, processes, APl, etc
- Applied cryptography (hashing encryption)
- Penetration testing/red team and their corresponding tools and techniques.
- Programming in some programming languages.
- Development in the field of information security