Senior Supervisor, Technical Security Testing

Job description / Role

About the role

Purpose of the job:

Evaluate the security controls for Orange's internal and external systems and identify new vulnerabilities and exploits that can jeopardize the integrity, confidentiality, and availability of our information systems.

Duties and responsibilities

• Perform initial penetration testing for newly acquired or developed systems.
• Identify security issues and vulnerabilities that can jeopardize the confidentiality, integrity, and availability of information systems.
• Perform network penetration, web and mobile application testing, source code reviews, threat analysis, wireless network assessment, and social engineering assessments.
• Develop scripts, tools, and methodologies to enhance red teaming processes.
• Programming skills supporting tool development and customization (shell scripting, Perl, Python, Ruby, C, C++, C#, Java).
• Recognize and safely utilize attackers' tools, tactics, and procedures.
• Exhibit strong knowledge of tools used for wireless, web application, mobile application, and infrastructure penetration testing.
• Provide technical advice to system or business owners and/or developers on how to mitigate the identified issues.
• Propose compensating controls to mitigate or reduce risks where resolving the root cause is not possible.
• Provide guidance to application developers on secure coding best practices.
• Ensure Orange's information systems are properly hardened, including but not limited to operating systems, databases, web servers, and application servers.
• Provide advice to system administrators on how to harden their systems.
• Perform telecom-specific security testing to ensure the security of our access, core, and packet core networks. Identify and resolve any discovered issues.
• Perform periodic penetration testing against Orange's critical systems to address any new security issues.
• Run periodic vulnerability scans against Orange's systems, and ensure the findings are addressed in a timely manner according to the asset's criticality and the risk.
• Run on-demand scans for newly announced vulnerabilities and address those vulnerabilities with their owner.
• Provide executive and detailed technical reports on findings to be used as an input in the risk management process.
• Thorough understanding of different network protocols, application frameworks, and database platforms.
• Mastery of Unix, Linux, Mac, and Windows operating systems including Bash and PowerShell.
• Perform assessments against internal and external security standards including but not limited to PCI-DSS, SOX, ISO-27001, and Orange Global Security Policy.
• Map business objectives and strategies to identify testing objectives and establish a business-oriented risk level.
• Determine needed tools and budget to enhance the security testing process.
• Supervise and guide pentesting team activities.
• Ability to define and scope penetration testing requirements.
• Ability to document and communicate vulnerabilities and associated security risks with the stakeholders.

Job specification

Education

• University degree in Telecommunication, Information Technology, or Computer Science.
• Fluently reading and writing in the English language.
• Certifications such as GPEN, OSCP, OSCE, OSWE, GWAPT, GAWN, GMOB, eMAPT are a must.

Experience

• 3-5 years experience in at least three of the following:
• Network penetration testing.
• Mobile and/or web application assessment.
• Social engineering assessment.
• Shell scripting and automation of simple tasks using Perl, Python, Ruby, and/or PowerShell.
• Developing, extending, or modifying exploits, shellcodes, or exploit tools.
• Source code review for control flow and security flaws.
• Familiarity with the telecom industry and its security posture.

Skills and abilities

• Executive presence, highly effective communicator, well-established influencing and negotiating skills.
• Strong analytical skills; able to quickly digest any issue encountered and recommend an appropriate solution.
• Strong client service orientation.
• Self-motivated without the need for significant management oversight.
• Dynamic team player.
• Ability to deal with ambiguity and make expert judgment in situations where no precedent exists.
• Excellent verbal and written communication skills including the ability to author and present materials ranging from detailed technical specifications to high-level presentations.
• Strong understanding of the role's impact on the entire company.
• Ability to maintain a steady work pace with a high level of accuracy.
• Must possess a strong sense of ethics and integrity with respect to identified critical security findings (revenue or image impacting).

About the Company

Orange is one of the world’s leading telecommunications operators with sales of 43.5 billion euros in 2022 and 136,000 employees worldwide at 31 December 2022, including 75,000 employees in France. The Group has a total customer base of 287 million customers worldwide at 31 December 2022, including 242 million mobile customers and 24 million fixed broadband customers. The Group is present in 26 countries. Orange is also a leading provider of global IT and telecommunication services to multinational companies under the brand Orange Business.