Qualys - Senior Penetration Tester - Software Quality Assurance

Job Description :

We are seeking a skilled Penetration Tester to assess and enhance the security of our cross-platform executable Qualys Cloud Agent.

This agent is responsible for system monitoring, data collection, and secure communication with a cloud platform.

Operating across Unix, Windows, and macOS environments, the agent plays a critical role in our security and compliance solutions.

The ideal candidate will uncover vulnerabilities, simulate attack scenarios, and work with our teams to fortify the system against threats.

Key Responsibilities :

Cross-Platform Agent Testing :

- Identify and exploit vulnerabilities in the agents runtime behavior, system interactions, and interprocess communications.

- Test agent privilege management and evaluate risks of escalation or exploitation.

Data Collection and Handling :

- Analyze the agents data collection mechanisms to ensure data privacy and integrity.

- Validate proper implementation of sensitive data redaction and secure storage practices.

Communication Security :

Test the agents secure communication mechanisms with the cloud server, focusing on :

- Encryption (TLS/SSL, public key cryptography).

- Authentication and session management.

- Mitigation of threats like MITM, replay attacks, and DNS spoofing.

Reverse Engineering and Exploitation :

- Reverse engineer agent components to assess the effectiveness of tamper-proofing mechanisms and embedded security features.

- Simulate advanced threat scenarios, including code injection and runtime manipulation.

System Security Evaluations :

- Assess the agents impact on host system security, ensuring it does not inadvertently

introduce risks (e.g., open ports, exploitable configurations).

- Evaluate installation, update, and self-defense mechanisms for tamper resistance and exploitation risks.

Reporting and Remediation :

- Provide detailed vulnerability reports with proof of concept (PoC), risk impact assessments, and actionable remediation steps.

- Collaborate with development team to address vulnerabilities and validate fixes

- Contribute to improving secure development practices and robust agent design.

Required Qualifications :

Technical Expertise :

- In-depth knowledge of penetration testing methodologies for executable agents, system processes, and OS-specific security models (Windows, Unix/Linux, macOS).

- Proficiency in network security and cryptographic protocol testing.

- Strong background in reverse engineering tools and techniques

Tools & Scripting :

- Hands on experience with proxy solutions ex Burp or Fiddler

Experience :

- Proven track record of assessing software agents or similar system monitoring tools.

- Familiarity with common vulnerabilities, including CVEs related to agent-based applications.

- Experience working with security tools or platforms similar to Qualys Agent.

Certifications (Preferred) :

- Relevant cloud certifications such as AWS Security Specialty, Azure Security Engineer Associate.

Preferred Qualifications :

- Hands-on experience with agent technologies similar to Qualys Cloud Agent.

- Familiarity with cloud architecture, APIs, and integration points.

- Knowledge of secure coding practices and defensive programming.

- Experience with CI/CD pipeline security