Who We Are

Boston Consulting Group partners with leaders in business and society to tackle their most important challenges and capture their greatest opportunities. BCG was the pioneer in business strategy when it was founded in 1963. Today, we help clients with total transformation-inspiring complex change, enabling organizations to grow, building competitive advantage, and driving bottom-line impact.

To succeed, organizations must blend digital and human capabilities. Our diverse, global teams bring deep industry and functional expertise and a range of perspectives to spark change. BCG delivers solutions through leading-edge management consulting along with technology and design, corporate and digital ventures—and business purpose. We work in a uniquely collaborative model across the firm and throughout all levels of the client organization, generating results that allow our clients to thrive.

What You'll Do

This position is with BCG information security team and as a security engineer you will be responsible for performing DAST and penetration testing across different products and systems. The role will require working closely with product development teams to ensure applications are built to BCG security standards and have robust and secure design and development. Working knowledge of SAST is good to have.

 

Following are key responsibilities for this role:

Perform security tests on web-based applications, Mobile applications, API’s, Thick client-based applications, SAAS systems and networks.Keep up with the latest methods for ethical hacking and testing and are always evaluating new penetration testing tools.Regular follow up’s on identified security issues with Development and infrastructure teams to ensure compliance with vulnerability management policy.Assist development teams in understanding security issues, relevant risk levels and its likelihood. Help them gain a long-term understanding of security and its usefulness while writing code.Enable development teams to build security throughout SDLC stages such as planning, designing, development, and testing as well as proactively work with development teams on security best practices.Liaise with application developers, security champions, architects, and project managers for improving application security posture and bring application security standard conformance across the enterprise.Maintain penetration testing scheduling calendar. Ensure 100% compliance with annual penetration testing criteria and policy.Keep a close eye on the web inventory and maintain records.Ability to perform network level penetration tests and SAST reviews is plus.Must be willing to collaborate with other team members such as security code review specialists, security architects to build a database of security learnings.Write technical penetration testing reports documenting security issues identified, their risk ratings along with countermeasures.

What You'll Bring

The desired candidate will have application security background with sound penetration testing tools and methodologies knowledge. Following are key skills for this role:

Proficient in OWASP TOP 10 and SANS TOP 25 vulnerabilities.Strong technical knowledge of commercial and open-source Dynamic Application Security Testing tools and platform. Must know advantages, challenges, and limitation of using such tools.Must have knowledge of security in CI/CD, the security of CI/CD, and security outside of CI/CD concepts.Well aware of AWS Cloud Platform, Azure, GCP, Docker, Kubernetes, and bringing security tooling to DevOps.Should have knowledge of languages/Frameworks (JavaScript, Java, .NET, Nodejs, Angular, Technologies supporting SPA) and advice teams on secure coding guidelines.CEH and OSCP certification is a huge plus.

Who You'll Work With

You will work in a fast-paced, intellectually intense, service-oriented environment to protect our applications and information systems. You will be a part of a team of security architects, and security professionals working in support of consultants delivering business and management strategy to our clients through these applications and systems. You will work with application developers, data analysts, and system owners providing information security for applications and systems.

Additional info

YOU’RE GOOD AT

 

This role will work with various teams and functions and have teams which are responsible for developing application and products along with Information Security Risk Management (ISRM) as major stakeholders. This role will be change and communication intensive, requiring short and long term engagement with business and technology owners across BCG. The following key attributes will help you be successful at the job:

Be a strong believer of application security at speed to unblock product’s speed to market requirements.Ability to explain complex security topics in business and plain language.Demonstrate identified security issues to various stakeholdersAbility to persuade and negotiate risks as per organisation risk appetiteGood reasoning and analytical approach, ability to create mental visuals, and comfortable in dealing with ambiguityAttitude to remove roadblocks and enable teams to meet their objectivesUnderstanding of GDPR privacy by design.

Boston Consulting Group is an Equal Opportunity Employer. All qualified applicants will receive consideration for employment without regard to race, color, age, religion, sex, sexual orientation, gender identity / expression, national origin, disability, protected veteran status, or any other characteristic protected under national, provincial, or local law, where applicable, and those with criminal histories will be considered in a manner consistent with applicable state and local laws.\n
BCG is an E - Verify Employer. Click here for more information on E-Verify.