Group Specialist - Penetration Testing (Application & Infrastructure Security)

• The ideal candidate should bring a balanced background across application security testing and infrastructure penetration testing, combined with the ability to write scripts, build tooling, automate test cases, analyze code/configurations, and integrate AI-enabled security tools into the testing lifecycle. The role requires close collaboration with engineering, infrastructure, cloud, SOC, architecture, and product teams to validate security posture, identify exploitable weaknesses, and drive remediation.

• Modern testing workflows increasingly include AI-assisted capabilities. For example, PortSwigger documents Burp AI as a way to improve testing efficiency, understand complex technologies, and streamline authentication setup, while still keeping the tester in control. Microsoft also publishes current guidance for both penetration testing in Azure and LLM red teaming, which reflects the growing expectation that offensive security teams can test both traditional systems and AI-enabled systems.

• Assist BUs in conducting access control reviews of their applications & systems

• Perform hands-on penetration testing of web applications, APIs, mobile backends, middleware, and custom business applications. 

• Assess applications for vulnerabilities such as: 

  • Broken access control / BOLA 

  • Authentication and session management flaws 

  • Injection vulnerabilities 

  • Server-side request forgery (SSRF) 

  • Business logic abuse 

  • Client-side security weaknesses 

  • Insecure deserialization 

  • Misconfigurations and secrets exposure  

• Conduct authenticated and unauthenticated assessments across internet-facing and internal applications. 

• Test REST, SOAP, GraphQL, and modern API architectures. 

• Review application architecture, trust boundaries, and data flows to identify realistic attack paths. 

• Validate remediation fixes and perform re-testing.

• Perform infrastructure penetration testing across: 
  • Internal and external networks 
  • Active Directory / Windows environments 
  • Linux and Unix servers 
  • Network devices and segmentation controls 
  • VPN, remote access, and identity-connected infrastructure 
  • Cloud environments and hybrid infrastructure 
• Assess privilege escalation paths, lateral movement opportunities, credential exposure, trust abuses, and weak administrative controls. 
• Conduct attack path testing across enterprise environments to identify high-risk chaining opportunities. 
• Evaluate resilience of endpoint, network, identity, and server controls against real-world attack techniques.

Evaluate and integrate modern AI-enabled testing capabilities into the pentesting workflow, such as:

• AI-assisted web testing and workflow understanding 
• AI-enhanced reporting/documentation 
• AI-supported attack-path reasoning 
• AI-assisted code and configuration review 
• AI red teaming for LLM- or agent-based applications where relevnt

• Always act as an ambassador for DP World when working; promoting and demonstrating positive behaviors in harmony with DP World’s Principles, values and culture; ensuring the highest level of safety is applied in all activities; understanding and following DP World’s Code of Conduct and Ethics policies

• Perform other related duties as assigned 

QUALIFICATIONS, EXPERIENCE AND SKILLS

Knowledge and Experience

• Bachelor’s degree in computer science or equivalent

• Should have 10-12 years of experience in application and infra pen testing.

• Good understanding in E-commerce, logistics, supply chain & port operations applications will be an added advantage

• Experience in establishing cyber & third-party risk management processes

• Working knowledge of ISO 27001, COBIT 2019 etc.

• Experience in working with Multinational Companies (MNC) is preferable

Soft Skills

• Excellent communication & analytical skills
• Program and Project management skills
• Time management skills
• Team player and conflict management skills
• Coaching / guiding skills
• Ability to adapt in a complex environment, loves challenges, with the will and drive to learn new things on his/her own
• Cultural awareness

Technical Skills

• Strong hands-on experience in application penetration testing and infrastructure penetration testing. 
• Strong knowledge of: 
  • Web security testing 
  • API security testing 
  • Network and server exploitation fundamentals 
  • Active Directory attack techniques 
  • Windows and Linux internals 
  • Authentication, identity, and privilege escalation paths 
  • Cloud security fundamentals 
• Strong hands-on experience with tools such as: 
  • Burp Suite 
  • Nmap 
  • Metasploit  
  • BloodHound  
  • Responder / Impacket 
  • Nessus / Qualys 
  • Wireshark  
  • Custom scripts and offensive security frameworks 
• Strong programming / scripting skills in Python, PowerShell, Bash, JavaScript, or Go. 
• Ability to develop or modify tools, proof-of-concepts, payloads, and automation scripts. 

Understanding of secure coding concepts and ability to review code snippets for security issues.

#LI-DP1