Posted

30+ days ago

Description

Principal Security Specialist – Offensive Security (Team Lead)


Advert:


People make Sage great. From our colleagues delivering ground-breaking solutions to the customers who use them: people have helped us grow for more than thirty years, and people are driving our future as a great SaaS company. We’re writing our next chapter. Be part of it!


Experience has taught us that when our customers thrive, we thrive. As a team, we always start with what customers need. Through the good… and more challenging times. Innovating at pace so customers can manage their finances, operations and people. Every one of us shapes our culture at Sage - doing what’s right and succeeding together, united by our commitment to each other. We encourage each other to grow in our roles, in our careers and as individuals.


Follow us on our social media sites below to join in conversations about career tips, open positions and company news! #lifeatsage #sagecareers. If you would like support with your application (or require any adjustments) please contact us atcareers@sage.comfor assistance. All qualified applicants will be thoughtfully considered and never discriminated against based on their race, color, age, religion, sexual orientation, gender identity, national origin, disability or veteran status.


Job Description:


To be the team lead and deliver offensive security testing across Sage covering red teaming (including social engineering and physical tactics), penetration testing (including web, APIs, mobile, and infrastructure) and bug bounty programme support (including triage and verification). As well as this you will need to carry out purple teaming to ensure that Sage teams properly understand vulnerabilities that are found and implement both effective fixes and detection via our SOC. You will continually maintain and improve the skills, tools, processes and approaches of the Offensive Security Team to meet the evolving threat. The ultimate goal is to drive continual improvement in the security of our products, systems and behaviours.


Key Responsibilities:


Key accountabilities and decision ownership:

Maintaining own skills and knowledge, and mentoring team members, to ensure alignment with recognised industry standards, levels of competence and emerging threats, vulnerabilities and techniques

Contributing to the development and continual improvement of methodologies, standards, tools and approaches for the team

Managing team workload to ensure delivery to expected quality and timescales

Performing a range of offensive security tactics and techniques – including infrastructure testing, web and mobile application penetration testing and social engineering (including physical access)

Scoping penetration tests to be performed by external suppliers. Assessing supplier performance against desired service levels and value for money

Working with Sage teams to fix identified vulnerabilities ensuring they fully understand the issues found and how to fix them

Analysis of vulnerabilities and other findings to identify systemic weaknesses and drive continual improvement in products, systems and behaviours as part of our Information Security Management System, aligned to ISO27001

Publishing blogs/articles and representing Sage at external events to establish us as a recognised centre of excellence for security.


Skills, know-how and experience:

Must have:

Experience of team leadership or leading engagements

Experience of red teaming, including a wide variety of attack simulation tactics and techniques

Experience of penetration testing covering web, API, mobile applications, infrastructure and social engineering (including physical access)

Experience with security tools such as Metasploit, Kali Linux, Nmap, Burp Suite

Good knowledge of CWE, CVSS and MITRE ATT&CK TTPs

Good verbal and written communication skills

Experience of working with geographically dispersed teams


Preferred:

Knowledge of scripting or software/tools development

Experience in ISO27001, PCI, OWASP ASVS or similar standards

Experience of working with suppliers to scope effective penetration tests.

Experience of purple teaming

Experience working in an agile, DevOps/DevSecOps environment.


Technical / professional qualifications:

CHECK Team Leader, CREST CCT, Tiger Scheme Senior Tester or similar.


#LI-DG1


Function:


Global Information Security


Country:


United Kingdom


Office Location


Newcastle;London;Reading