A White Hat hacker tests systems and networks by trying to break into them. They are hackers, but their talents are being used to improve Cyber Security. Being hackers, they are familiar with the tactics that malicious hackers use to compromise systems; White Hat hackers try to find the vulnerabilities before the bad guys do.
Will act as Ethical white hat attacker (red teamer) to simulate cyber-attacks, and/or Defensive cybersecurity personnel (blue teamer) to harden against simulated attacks. Develops and prepares penetration testing Rules of Engagement, test plans, and reports. Provides recommended remediation actions to lower overall risk exposure, as required. Provides technical expertise on penetration testing tools and simulation environment.
Knowledge of OWASP Top 10, CWE/SANS Top 25, Threat Modeling, understanding application architecture, design, and functionalities with an interest in performing penetration testing of diverse and challenging IT systems and applications.
Should possess any one of the following are industry accepted certifications
- CISSP – ISC2
- Offensive Security Certified Professional
- Certified Ethical Hacker
- Certified Pentester
- Web Application Penetration Tester (GWAPT)
- Exploit Researcher and Advanced Penetration Tester (GXPN)
Following are the key responsibilities:
- Researching the intended application or system target via both open-source and dark-web channels
- Scanning target networks and systems with commercial, open-source, or custom vulnerability scanners
- Identify potential vulnerabilities that can be exploited
- Based on the vulnerabilities designing a plan of attack that can includes:
- Exploiting software vulnerabilities, systemic vulnerabilities,
- Input / output manipulation, or any combination of those factors
- Testing business logic vulnerabilities
- Bypassing existing security controls such as one-time passwords, tokens etc.
- Able to develop scripts (e.g Python, Shell, PowerShell, Ruby, Perl etc) to be used a payload and exploiting vulnerabilities
- Drive remediation by outlining a defence-in-depth approach to business stakeholders and providing strategic solutions to developers on effective security controls and counter measures.
- Technical writing and presentation skills to report and articulate the vulnerability assessment results to any audience.