Infrastructure and application pentester

FREELANCERS ONLY
BELGIUM BASED
NBB institution:

• The National Bank of Belgium is an institution that works towards the stability of the financial system.
• The National Bank contributes to creating a climate of confidence conducive to the well-being of all.

Mission:
We search for a senior pentester for 2 kinds of pentesting: Infrastructure and application pentesting.

The target includes but is not limited to Windows, Linux, cloud infrastructure, ICS, web applications, fat clients, APIs, µ-service architecture etc..., host-based audits and social engineering testing.

The goal that should be attained is to identify vulnerabilities in new and existing technical infrastructures, applications and/or systems but also to identify design and implementation weaknesses in new and existing applications and in inter-applicative flows, as well as validating technical and business measures (e.g., specific business measures to avoid fraud) based upon the scope of the test.

The penetration test can consist of different scenarios, such as:

Source: both internal (from NBB networks) and external (from internet) penetration testing

Approach: white-box (all available information), grey-box (some inside information) and black-box approach (no information)

Methodology: cautious (discovery, enumeration, vulnerability mapping) to aggressive (exploitation of vulnerabilities, denial of service), after approval of NBB staff

Technique: network based. Host-based testing and social engineering by default do not make part of this type of testing.

The consultant proposed must dispose of an extensive professional experience of 10 years or more as an infrastructure and application penetration tester. Furthermore, (s)he must dispose of an extensive professional experience of at least 5 years with critical infrastructure.

Specific technical skills:

• Network technologies (Ethernet, Wi-Fi, fibre channel, Bluetooth) and detailed knowledge of protocols.
• Authentication technologies (both user and machine) and mechanisms.
• Encryption techniques.
• Operating systems (Windows, Linux, Solaris).
• Cloud services (e.g., Microsoft stack, )
• Cloud architecture and principles, including interconnectivity/interoperability between systems, services and applications
• Cloud, on premise and hybrid topologies
• µ-services
• Enterprise service bus architecture (incl. API-gateway)
• Proprietary systems and protocols, including industrial control systems (ICS), Supervisory control and data acquisition (SCADA),
• Well known attacks and techniques to defeat security controls.
• Scripting (Bash, Python, PowerShell, ...)
• Network design and architecture.
• Multi-layered security (defence in depth) principles
• Database systems (e.g., Microsoft SQL, Oracle Database, )
• Middleware (e.g., Web Application Servers, Enterprise Service Bus, Business analytics tooling, ETL, )
• Secure application development.
• Programming languages (e.g., Java, Microsoft .NET, ).

Soft skills:

• Team player
• Communicative
• Independent worker
• Discreet
• Curious