SAIC is seeking a Penetration Testing Manager - Web Applications to work onsite with our customer at Quantico, VA. This position supports the Marine Corps Cyberspace Operations Group (MCCOG).
This position is contingent upon contract award. If awarded, work will begin in Fall 2023.
Summary and Description: The Penetration Testing Manager - Web Applications shall be responsible for providing capabilities necessary to discover vulnerabilities in both internal and public facing web applications and web security appliances (Web Application Firewalls) through no-notice and cooperative security assessments and automated scanning. Assessments will be performed at the direction of and under the supervision of Government personnel. The Government directed twelve manual pen-testing campaigns during calendar year 2021 which focused on sites affected by priority threats. Campaigns lasted thirty days each and the number of sites tested during a campaign varied from 5-15. Contractor staff will open records for any findings resulting from these campaigns and validate reported fix actions. Automated web vulnerability scanning is conducted continuously and encompasses about 700 total Uniform Resource Locators (URLs). Contractor staff will manually validate vulnerabilities found during automated scanning and open records for those validated findings.
Duties and Responsibilities:
- Implement a repeatable and documented assessment methodology (NIST SP 800-115).
- Assist the Government to determine the objectives of each security assessment, and tailor the approach accordingly (NIST SP 800-115).
- Perform manual web application penetration tests on both internal and external systems to identify vulnerabilities such as those listed in the Open Web Application Security Project (OWASP) Top 10, the Mitre ATT&CK matrix, Mitre Common Attack Pattern Enumeration and Classification (CAPEC), Mitre Common Weakness Enumeration (CWE), or other sources.
- Operate automated web application vulnerability scanning and situational awareness tools including but not limited to Acunetix, WebInspect, Netsparker, and Expanse eXpander.
- Analyze findings and develop risk mitigation techniques to address weaknesses.
- Validate the remediation of findings reported by system owners.
- Advise system owners on strategies for remediating vulnerabilities when necessary.
- Evaluate systems and applications for compliance with applicable DOD, DON, and other government IT Security Policies (i.e. Secure Technical Implementation Guides).
- Provide reports detailing findings from each manual pen-testing campaign.
- Bachelors and fourteen (14) years or more experience; Masters and twelve (12) years or more experience; PhD or JD and nine (9) years or more experience.
- 5+ years serving as PenTester
- CSSP Auditor
- IAT III Certification
- Active TS/SCI Clearance
Covid Policy: SAIC does not require COVID-19 vaccinations or boosters. Customer site vaccination requirements must be followed when work is performed at a customer site.
Apply on company website