The Information Security Department of the Information Technology and Sustainability Division works to protect the reputation and enhance operational resiliency of the Hong Kong Jockey Club by ensuring the availability, integrity, and confidentiality of the Club\'s communications and network infrastructure, application systems and data.
- Contribute/lead the management of end-to-end Pentesting, to ensure quality on testing engagements to identify security weaknesses within club\'s business environments, report on issues and make remediation recommendations
- Position as a subject matter expert to help support and respond to club's pending requests, anticipate club's needs, and suggest solutions using innovative approaches
- Involve in all aspects of security PenTesting and vulnerability management engagements which include but are not limited to:
- Network and host vulnerability assessments and penetration testing.
- Web application vulnerability assessments and penetration testing.
- Source code security reviews assisted by automated tools.
- Exploit research and development skills are a plus.
- Firewalls, IDS / IPS, and other security device configuration review are a plus.
- Ensure the quality of reports on findings and recommendations meets the club's quality standard.
You should have:
- At least 7years of experience in Information Risk and Security management.
- Extensive experience in performing application security assessments
- Preferred certifications: GIAC, CISSP, CEH, OSCP. CISA, CISM, OSCE, OSWE Web Expert, or OSEE Exploitation Expert or equivalent is a great plus.
- Hands-on experience working with Burp Suite, OWASP Zap, Nmap, Metasploit, Wireshark, and SIEM
- Experience with digital security and the recent adoption of mobile and web security measures.
- Experienced in secure application coding and application security scanning.
- Expert knowledge of:
- Windows, Linux, ChromeOS, and macOS,
- Implants, shells, Command and Control (C2) infrastructure,
- TCP/IP, IDS/IPS, firewalls, WAF, and web content filtering,
- Crypto: PGP, SSH, PKI, Network equipment such as Cisco, Palo Alto, and Juniper, AWS environments.
- Performing penetration tests, vulnerability assessments, and application/infrastructure security reviews for the web and mobile applications.
- Support the development of application coding guideline and application security scanning process.
- Support the development a penetration test policy and source code review guidelines.
The level of appointment will be commensurate with qualifications and experience. A contract employment will be offered to the successful candidate. Contract renewal will be subject to mutual agreement between the Club and the individual.
Only shortlisted candidates will be notified.
We are an equal opportunity employer. Personal data provided by job applicants will be used strictly in accordance with the Club\'s notice to employees and prospective employees relating to the Personal Data (Privacy) Ordinance. A copy of which will be provided immediately upon request.