Offensive Security Engineer

Arab Bank • Full-time • عمان, JO • 13h ago

Job Description:

An Offensive Security Engineer within Arab Bank will be responsible for proactively identifying and exploiting vulnerabilities across our digital infrastructure, web/mobile applications, APIs, and networks to assess and strengthen our products and customers security posture.

Design and conduct advanced penetration tests, red team exercises, and security assessments targeting both internal and external assets, ensuring resilience against real-world cyber threats. Working closely with security architects, and development teams to assess digital products security posture and applied security fixes. In addition to hands-on technical testing, the role will serve as subject matter expert on reported vulnerabilities via 3rd party vendors and remediation process, and help mature the organization's adversarial simulation capabilities.

Accountabilities and Key Roles:

Conduct advanced threat simulation and penetration test (Web, Network, APIs, Mobile, Cloud) across Arab Bank attack surface, software changes, and digital products.
Conduct internal and external red team activities and assess security controls effectiveness from attacker perspective.
Perform security code reviews, fuzzing, reverse engineering and penetration test from Whitebox perspective.
Develop security tools and proof of concept of vulnerabilities.
Provide recommendations and guidance on security best practices to fix vulnerabilities and enhance security posture.
Work closely with cross-functional teams (Engineering, DevSecOps, SOC, Risk) to discover and address security vulnerabilities.
Lead the triage process of reported vulnerabilities.

Education:

Bachelor’s or master’s degree in computer science, Information Security, Computer Engineering, or a related field.
Certifications such as: OSWE, OSCE, OSCP, GXPN, GMOB, CRTO.

Experience:

2-5 years of experience in similar role.

Competencies:

Experience conducting advanced penetration testing exercises (Web applications, Mobile Applications, APIs, and Cloud)
Experience in developing cybersecurity testing tools and exploits development for web vulnerabilities.
Proficiency in performing advanced mobile applications assessment (iOS/Android) and assessing mobile security controls and backend APIs.
Experience in cloud security testing (GCP, AWS, Azure)
Proficiency with one or more scripting/programming languages and MVC, preferably: JAVA, Spring Boot, JavaScript, PHP, C/C++, Python, GO, etc.
Ability to conduct manual source code review and Whitebox security testing.
Familiarity with related tools such as CodeQL.
Experience emulating advanced adversarial tactics, techniques and procedures TTP and security controls evasion techniques.
Familiarity with security public standards and testing methodologies: OWASP top 10 for Mobile, Web and API. OWASP Application Security Verification Standard (ASVS), MITRE ATT&CK, etc.
Considered advantages: recognitions in public bug bounty programs and hall of fame, registered public vulnerabilities CVEs, contribution to the public security communities in research/blog, or open-source development.