Expert in Secure Development

COSMOTE Global Solutions, part of the OTE Group of Companies, is a leading provider of ICT Solutions and Services, specializing in various areas such as Cloud, Data Centre operations, Networking, Cybersecurity, and more.

As an Expert in Secure Development, you will play a critical role in enhancing the security of our software development processes, ensuring that all applications are built with a strong security posture.

Responsibilities:

• Perform a white-box penetration test of the AFIS application, using full access to source code, documentation, system configuration, and user accounts with varying privilege levels.
• Design and execute authenticated attack scenarios for multiple predefined user roles, focusing on privilege escalation, horizontal access abuse, and misuse of authenticated functionalities.
• Apply a structured penetration testing methodology, based on PTES (Penetration Testing Execution Standard) or an equivalent industry-accepted approach, ensuring completeness and repeatability of the test process.
• Conduct all tests in alignment with the OWASP Testing Checklist, covering the required categories such as authentication, authorization, session management, input validation, error handling, and business logic testing.
• Analyse identified vulnerabilities, exploitation paths, and systemic weaknesses, and evaluate their impact, likelihood, and relevance to the AFIS security posture.
• Document all findings in a comprehensive PDF report, including technical descriptions, reproduction steps, risk severity ratings, affected components, and recommended remediation actions.
• Register all discovered defects as bugs in the AFIS Ticketing platform, using the agreed-upon template and severity classification, ensuring traceability to the penetration test results.
• Provide guidance to the AFIS team on remediation approaches, mitigation strategies, and secure alternatives for high-risk issues.
• Participate in review or clarification meetings, on request, to walk through findings, exploitation steps, and recommended fixes with stakeholders.

Requirements

• Master's Degree on It or a related field
• Minimum 8 years of experience in offensive security testing of Web Applications and Infrastructure technologies on a relevant technology stack (Java, Linux, Oracle/Postgres)
• Deep understanding of penetration testing methodologies such as PTES, OWASP Testing Guide, NIST SP , and ISSAF.
• Extensive knowledge of OWASP Top 10, OWASP ASVS, CWE, and common vulnerability classes.
• Familiarity with modern application architectures (web, API, client–server, microservices).
• Knowledge of secure software development practices and common coding pitfalls.
• Understanding of authentication and authorization models, including role-based access control, session management, and token-based authentication.
• Knowledge of network protocols, encryption, TLS, certificates, and secure communication patterns.
• Strong understanding of application data flows, business logic, and trust boundaries.
• Expertise in exploit development concepts, payload crafting, and evasion techniques (where applicable in a white-box context).
• Knowledge of logging and monitoring mechanisms, audit trails, and security-relevant events.
• Understanding of the AFIS application architecture (once documentation is provided).
• Familiarity with the programming languages, frameworks, and libraries used in the AFIS code base (Java, Spring Boot, React, Python).
• Knowledge of identity and access management technologies affecting authenticated scenarios.
• Experience with issue tracking platforms, specifically Gitlab, for accurate defect reporting.
• Understanding of the AFIS application architecture (once documentation is provided).
• Familiarity with the programming languages, frameworks, and libraries used in the AFIS code base.
• Knowledge of identity and access management technologies affecting authenticated scenarios.
• Experience with issue tracking platforms, specifically Jira, for accurate defect reporting.
• Ability to perform white-box testing, including code-assisted analysis and configuration review.
• Expertise in authenticated testing, including session manipulation, impersonation, and privilege escalation attempts.
• Ability to identify security flaws in business logic, not just technical layers.
• Skills in dynamic analysis, static analysis, and manual testing techniques.
• Proficiency in using penetration testing tools, such as:
• Burp Suite Pro
• OWASP ZAP
• Postman / API testing tools
• Browser DevTools
• Source code review tools (static analyzers when available)
• Ability to create and execute realistic attack chains based on combined vulnerabilities.
• Ability to understand, speak and write French (C2); Dutch (B1) will be an advantage.

Mandatory Certifications:

Offensive Security Certified Professional (OSCP)