Penetration Tester

Infinum's Cybersecurity team plays a critical role in ensuring the security of our clients' products, safeguarding them against potential threats and vulnerabilities. The team collaborates closely with developers, system architects, and clients, making security an integral part of our software development lifecycle.

We have the opportunity to work on a variety of projects for global clients across industries like finance, hospitality, healthcare, and automotive. Equipped with cutting-edge tools and methodologies, we test the security of web & mobile applications, infrastructure, networks, IoT ecosystems, and other innovative solutions.

In addition to a sharp eye for vulnerabilities and a proactive mindset, our penetration testers utilize tools such as Burp Suite Professional, Nuclei, OWASP Zap, Nmap, Amass, and others, to ensure the highest levels of security.

Qualifications and experience

We believe that the following is essential for your success as a member of our cybersecurity team:

Experience

At least three years of experience in web & mobile penetration testing and application security in accordance with OWASP standards and guidelines such as the WSTG, ASVS, MASTG, MASVS, and SAMM.

Willingness to learn

You don’t need to be an expert in all things cybersecurity, but you should have a strong understanding of the offensive security landscape and be eager to keep learning.

Communication skills

A key part of your job will involve reporting vulnerabilities and collaborating with both technical and non-technical stakeholders. You need to be clear, concise, and able to explain complex issues in an accessible way.

Attention to detail

The smallest vulnerability can lead to major breaches. You should have a keen eye for identifying hidden weaknesses that others might overlook.

English

You'll discuss cybersecurity topics daily with our worldwide colleagues and clients. Both written and verbal fluency is required.

Bonus points

• Hands-on experience with penetration testing tools and frameworks (e.g., Burp Suite, Metasploit, Nmap).
• Certifications focused on offensive security, e.g., PenTest+, eWPT, eMAPT, OSCP, OSWE, GWAPT, or similar.
• Familiarity with application security principles and network protocols.
• Familiarity with cloud security and related attack vectors.
• Experience with vulnerability assessment and reporting.
• Experience in programming or scripting (Python, Bash, etc.) to automate tasks.
• Familiarity with compliance standards (e.g., ISO 27001, SOC2, PCI-DSS) and their security implications.

Responsibilities

As a Penetration Tester at Infinum, you will:

• Conduct penetration testing on web & mobile applications to identify security vulnerabilities.
• Simulate real-world attacks and provide detailed reports of your findings, including risk assessments and remediation recommendations.
• Collaborate with clients’ teams to help them understand and fix vulnerabilities.
• Develop and maintain test scripts and custom exploits for use in penetration tests.
• Stay up to date with the latest attack techniques and tools in order to improve the testing processes and methodologies.
• Contribute to improving security processes and training team members on security best practices.

Tools we use

Amass

Amass is our asset discovery tool for mapping out attack surfaces. It helps us gather subdomains, DNS records, and other valuable reconnaissance data.

Burp Suite Professional

Our go-to tool for web application security testing. From manual testing to automated scans, Burp Suite helps us find vulnerabilities and assess risks efficiently.

Frida

Frida is our go-to tool for dynamic instrumentation. It lets us inject scripts into running applications, enabling us to analyze and manipulate app behavior in real-time, often used in reverse engineering and debugging.

Ghidra

Ghidra is essential for reverse engineering software. This open-source suite helps us disassemble and decompile binaries, allowing for in-depth analysis of executable code and uncovering hidden vulnerabilities.

MobSF

We use MobSF for mobile application security assessment. This tool automates static and dynamic analysis, helping us quickly identify security flaws in Android and iOS applications.

Nmap

The network scanner we trust for network discovery and vulnerability assessments. Nmap helps us identify open ports, services, and network misconfigurations.

Nuclei

Our tool of choice for vulnerability scanning with customizable templates. Nuclei helps us automate and scale our reconnaissance efforts.

OWASP ZAP

An open-source web application scanner that’s perfect for quick scans and manual security testing. We rely on ZAP for its simplicity and flexibility in different testing environments.

Postman

Postman is indispensable for testing APIs. It helps us craft and automate requests, making sure API endpoints are secure and function as intended.

ReconFTW

A comprehensive reconnaissance tool we use to automate the entire recon process. ReconFTW speeds up data gathering and gives us a detailed overview of our target’s attack surface.

SQLMap

We turn to SQLMap for automating SQL injection testing. It’s a powerful tool that helps us detect and exploit SQL injection vulnerabilities in web applications.

Wireshark

We rely on Wireshark for network traffic analysis. It allows us to capture and inspect data packets in real-time, helping us diagnose network issues and spot potential security threats.