Penetration Tester - Full Time - Remote Job

LifeLabs is the largest community diagnostics laboratory in Canada, serving the healthcare needs of Canadians for over 50 years. Our team members are truly centred around our customers, and we know that behind every lab requisition, sample being tested, or investment in technology is an individual and their family counting on us.

Consistently named one of Canada's Best Employers by Forbes, LifeLabs has also been recognized for having an award-winning Mental Health Program from Benefits Canada. The passion and commitment of over 6,000 diverse and innovative team members unites and motivates us to ensure our customers receive high quality tests and results that they can trust. Agile, customer-centred, caring and teamwork: we live these values every day in what we do to support our customers and healthcare providers, driving forward our vision of empowering a healthier you.

Make a difference – join the LifeLabs team today!

REPORTS TO: Vulnerability Management Lead

PURPOSE OF THE ROLE: A penetration-tester/red team member is a very hands-on representative of the information security team. This role is highly technical, and candidates must possess a solid understanding of information security, preferably with a strong computer science background. Pen-testers/red teamers must understand applications, networking and various operating systems, along with tools and frameworks, and they must maintain a high level of rigor to stay up to date with advancements in technology while also retaining knowledge of older systems and applications that may still be in use in the enterprise.

Penetration-testers/red teamers must constantly search for system and application weaknesses to exploit, but they are also expected to maintain a level of professionalism at all times. The position must collaborate with others on the team for remediation and additional validation, as well as contribute to other collaborative approaches driven by the security team strategy, such as purple teaming, to enhance skillsets for both red and blue team members.

While some automated tools will be leveraged, the penetration-tester/red teamer must realize this is not solely a point-and-click role but requires hands-on expertise with a variety tools to simulate attacker tactics, techniques and procedures (TTPs). When performing red team exercises, the penetration-tester/red teamer must strive to avoid detection. In addition to stealthy engagements, however, penetration-testers/red teamers must also participate in visible and announced assessments for new and existing services, infrastructure, and applications to help the team identify weaknesses before an attacker does

Core Accountabilities

Penetration Testing

• Document and formally report testing initiatives, along with remediation recommendations and validation.
• Conduct tactical assessments that require expertise in social engineering, application security (web and mobile), physical methods, lateral movement, threat analysis, internal and external network architecture and a wide array of commercial products.
• Develop and maintain tools and scripts used in penetration-testing and red team processes.
• Train offensive and defensive colleagues on new TTPs and mentor junior teammates.
• Regularly research and learn new TTPs in public and closed forums, and work with teammates to assess risk and implement and validate controls as necessary.
• Understand breach and attack simulation (BAS) solutions and work with the team to validate controls effectiveness.

Stakeholder and Vendor Management

• Support purple team exercises designed to build strength across disparate teams.
• Arrange and provide support to business units launching new technology applications and services to verify that new products/offerings are not at risk of compromise or information leakage.
• Occasionally attend and participate in change management policy discussions and meetings.
• When necessary, assist in threat and incident response (IR) tabletop exercises as well as postmortem drills with a focus on measurable improvements and benchmarking to show progress (or deficiencies requiring additional attention).

Minimum Qualification and Skills

• Bachelor's degree in computer science (preferred), information assurance, MIS, or related field, or equivalent
• 10+ years’ experience in information security administration, offensive tactics, monitoring and IR
• 5-7 years’ experience in pentesting with emphasis on purple teams.
• Preferred to have one or more of the following relevant certifications.
  • Certified Information Systems Security Professional (CISSP)
  • Offensive Security Certified Professional (OSCP)
  • Offensive Security Certified Expert (OSCE)
  • GIAC Penetration Tester (GPEN)
• Proficient in scripting languages such as Python, PowerShell, Bash and Ruby
• Competent with testing frameworks and tools such as Burp Suite, Metasploit, Cobalt Strike, Kali Linux, Nessus, PowerShell Empire and AutoSploit