Golang Job: Expert Lead Red Team

Expert Lead Red Team

Department: CISO/ASM (Attack Surface Management)/Center of Expertise – Offensive Security

Grade: 18

Background

ING CISO mission is to keep the bank secure and to safeguard customer trust by predicting, preventing, identifying and responding to threats and make sure a quick recovery from cyber-related incidents. We enable our ING colleagues by providing usable and secure services and ensure that security is part of our DNA.

ING, like its competitors, is operating in an increasingly complex environment. Digitisation is a top priority as customer preferences are changing towards mobile and digital. ING is moving from traditional ways of delivering to a platform bank. Disruptive technologies and new types of threats create additional cyber risks for organisations, and new cyber security regulations are either launching or in development.

Generic summary of role

The ING Global CISO’s Attack Surface Management (ASM) tribe will focus on reducing both the external and well as the internal attack surface of the entire ING organisation, by (automated) hardening of our assets against cyber threats with preventive controls and proactively identifying and remediating vulnerabilities. One of area belonging to the ASM tribe is the Center of Expertise (CoE) Offensive Security including Penetration Testing and Red Teaming Expert Teams and Security Development & Engineering Expert Team. The CoE Offensive Security is globally responsible for the following activities:

• Execution of scheduled and ad-hoc penetration tests, red teaming exercises and DDoS exercises.
• Providing specific analysis of security issues, confirming hypotheses, testing and certifying new technologies.
• Continuous monitoring of development environment, quality of tools, configurations etc. basing on results of security processes embedded into Security Development Lifecycle (SAST, DAST, IAST, SCA, VS, penetration testing and red teaming) and dedicated analysis on the most common vulnerabilities identified in code
• Providing training and awareness on secure coding practices for developers and security champions
• Providing consulting and expert knowledge on specific software issues and vulnerabilities, low quality of code, use of libraries and frameworks, specific security settings of application servers.

Expert Lead Red Team role is responsible for supporting the implementation of adequate detective and preventive measures to reduce attack surface of the Bank, leading an expert team of Penetration Testers, Red Teamers, Secure Development Engineers, delivering Offensive Security capabilities to ING with expected high quality and on timely manner, maturing personnel’s skills and knowledge and organizing daily routines of an expert team with operational excellence.

Expert Lead Red Team reports directly to the CoE Lead Offensive Security.

Key Responsibilities

Expert Lead Red Team is responsible for:

• Supervising delivery of penetration testing, red teaming or DDoS testing either as activity delivered by an expert team or by 3rd party vendor as a service (Expert Team delivering PT or RT)
• Leading The Global Security Champion Guild having a focus on secure development and engineering to ensure security is embedded by default into each IT or business product at all stages of their lifecycle (Expert Team Secure Development and Engineering)
• Supervising delivery of security assessments of IT products, infrastructure, applications or 3rd party services as a mechanism to assess the effectiveness of cybercrime resilience controls in place to protect people, process and technology aspects of ING IT systems
• Providing technical expertise, analytical skills, documentation and coordination support to an expert team or to CoE’s service consumers
• Guiding towards best practices, industry standards and solutions to assure quality of security capabilities delivered out by CoE Offensive Security
• Drive the competencies and capabilities within an expert team in the field of PT, RT, Secure Development & Engineering by people and team development
• Identify and develop the next experts of the security community, focusing on craftmanship and skills development

Requirements

• Bachelor or Masters in information technology, cybersecurity or a related field
• Prior or current experience working as a Penetration Tester, Red Team or Cybersecurity consultant or developer with a focus on secure coding and system design (minimum 5 years)
• Hands on experience with testing devices, infrastructure or cloud, networks and applications (including testing web applications and APIs, mobile applications is a plus) and/or knowledge of secure coding aspects in at least one leading programming language (e.g. Java, C#, C/C++/Objective-C, Python, GoLANG, SQL etc.)
• Certificates like CEH, Offensive Certifications like OSCP, OSWP, SANS Offensive Operations Certificates like GIAC Certified Penetration Tester (GPEN) / Certified Expert Penetration Tester (CEPT) is a plus
• +1 years’ professional experience in managing an expert team of testers or developers. Ideally in large companies and corporate consulting experience.
• Strong knowledge of current security technologies and emerging trends in the area of cybersecurity
• Passionate about the field of Cybercrime resilience, secure coding practices, secure design and advanced security testing techniques
• Seamless ability to communicate technical issues in a business language
• Ability to support yourself and other team members in development
• Ability to empower teams to act autonomously, think out of the box and hold them accountable
• Ability to establish lasting relations within the organization with IT and Business and outside the Bank
• Good oral and written English communication skills