Sr. Penetration Tester

Role: Sr. Penetration Tester

Location: Remote

Duration: 12+ Months Contract

JOB REQUIREMENTS:

1. The selected contractor will work closely with ADS, BGS, implementation vendor and Ivalua personnel as required during this engagement.

2. External web application penetration testing, of VTBuys against their production like environments. (url to be provided at launch)

3. Testing will include the applied IDPs for internal and external SSO methods. This will include Entra ID for internal users and Okta for external users.

4. Perform penetration tests including black box testing on the web site(s) / endpoints defined above to assess the extent of a compromise an attacker can achieve by identifying and exploiting any vulnerabilities.

5. Perform testing of an authenticated user for three (3) user roles

6. Following each penetration test with a comprehensive report of risk-ranked vulnerabilities/findings and associated exploits which will include but not be limited to:

a. detailed steps taken to discover as well as recreate finding.

b. likelihood and potential impact of exploitation

c. suggested steps for remediation or mitigation if remediation is not possible.

7. Alert State of Vermont Security Team as soon as possible upon discovery of any critical or high findings so that State may assess and vendor can begin remediation.

8. Attend virtual meetings with State and KPMG and Ivalua to discuss findings and remediation

9. Perform Phase II retest of remediated findings and development changes between Phase I and II as to assure State that they have in fact been remediated and any new development has been adequately tested.

10. Destruction of any information obtained from KPMG, Ivalua or the SOV resulting from these penetration tests.

11. Penetration testing must be conducted in the United States. All data obtained during this engagement must remain in the US.