Responsibilities

• Owner of the framework for security testing (Vulnerability Assessment and Penetration Testing - VAPT).
• Design and implement Standard Operating Procedures (SOPs) to guide teams on engaging external security vendors and managing internal testing cycles.
• Establish "Quality Rubrics" to evaluate the performance of pen-testers.
• Conduct periodic sampling of testing reports and project involvements to ensure quality and rigour.
• Lead the execution of complex Red Teaming exercises and deep-dive penetration tests on high-impact systems.
• Leverage on the latest Adversary Tactics, Techniques, and Procedures (TTPs) to simulate real-world attacks, helping to identify blind spots in prevention, detection and response capabilities.
• Keeping a keen eye on the global threat landscape to identify emerging threats and evolving actor TTPs.
• Assess impact of current security posture and update testing standards accordingly.
• Owner of secure coding guidelines (based on OWASP, SANS) to ensure developers build security into the application layer from day one.
• Champion of the Static Application Security Testing (SAST) and Software Composition Analysis (SCA).
• Evaluate automation tools that detects vulnerabilities in source code and third-party libraries.
• Review, recommend, and provide guidance on integrating security tools into DevOps pipelines (DevSecOps).
• Evaluate and suggest systems that help to boost code quality, enforcing security to be treated as a core component of "clean code."
• On the forefront of technology changes (Cloud-native security, AI-driven development) and promote systems/technologies that enhance code quality and resilience.
• Advisor to CIOs, CISOs, and Project Owners to educate and inculcate a culture of secure-by-design.
• Promote a platform for knowledge sharing among security practitioners to harmonise security testing efforts.

Requirements

• Possess OSCP certification.
• 8 years of deep technical experience in Cybersecurity, with a strong focus on offensive security and application security.
• Experience in conducting penetration tests for Web Applications, IT Systems (on-premises and cloud environments), and complex Network architectures.
• Experience in performing manual and automated source code reviews to identify logic flaws, injection vulnerabilities, and cryptographic weaknesses.
• Experience in manual and automated testing tools
• Experience with Government Commercial Cloud (GCC) environments.
• In-depth understanding of secure software development lifecycles (SSDLC) and the ability to read/analyze common programming languages (Java, Python, .NET, JavaScript).
• Skilled with enterprise-grade SAST, DAST, SCA and VAPT tools (Checkmarx, Fortify, SonarQube, Snyk, Burp Suite).
• Sound understanding of the MITRE ATT&CK framework and common TTPs.
• Practical knowledge of Jenkins, GitLab CI, or GitHub Actions.
• Able to communicate complex technical risks to non-technical stakeholders
• Able to influence change without direct reporting lines.
• Able to identify patterns in "bad" testing jobs or recurring code vulnerabilities and provide constructive feedback to improve performance.
• Continuously learning and keeping pace with the rapidly evolving cyber threat landscape.

Ethos Search Associates Pte. Ltd.

EA License No: 13C6655

EA Reg No: R1988580 Jacky Chong