Deloitte | India Offices of the US

Role: Cyber Risk Attack Surface Consultant

As a Consultant, you will:

• Work with global teams to identify vulnerabilities and rogue assets (e.g., shadow IT).
• Help clients achieve business growth while managing risk.

Work You’ll Do

• Conduct vulnerability assessments and manual penetration testing for web, API, thick client, and mobile applications.
• Perform secure code reviews and analyze false positives from industry-standard tools.
• Respond to ad-hoc reporting and research requests from management and analysts.
• Develop and implement application security policies and procedures.
• Identify and prioritize security vulnerabilities.
• Coordinate with application development and operations teams on remediation plans.
• Quickly understand and deliver on company and client requirements.
• Participate in daily, weekly, quarterly, and yearly reporting for clients, partners, and internal teams.
• Adhere to internal operational security and Deloitte policies.

Required Qualifications

• Bachelor’s degree or higher in Computer Science, or equivalent experience.
• 3–5 years of hands-on experience in:
• Application security
• Vulnerability assessment
• Penetration testing
• Mobile application security
• Thick client and Web API security assessments
• Strong understanding of OWASP Top 10 and related vulnerabilities.
• Experience in manual assessment and exploitation (e.g., Blind SQLi, XXE, SSRF, Insecure Deserialization, HTTP Request Smuggling).
• Understanding of OAUTHv2/OpenID standards and business logic vulnerabilities.
• Experience with secure code review (OWASP Secure Coding Practices).
• Proficiency with tools: Burp Suite, Fiddler, Sysinternals, Veracode, DnSpy, OllyDbg, IDA Pro, EchoMirage, Wireshark, Apktool, Jadx-gui, Frida, etc.
• Ability to perform manual penetration testing and use automated tools.
• Excellent technical report writing skills.
• Knowledge of web application components (frontend, backend, databases, application servers).
• Understanding of web development technologies (HTML, CSS, JavaScript, PHP, Java, .NET, backend databases).
• Experience with application security architecture review and threat modeling.
• Basic concepts of reverse engineering and memory analysis.
• Understanding of networking protocols (TCP/IP, DNS, HTTP/S).
• Familiarity with vulnerability classification (CVE/CVSS).
• Certifications: CISSP, OSCP, OSWE, BSCP, GWAPT.

Preferred Qualifications

• Proficiency in web and mobile application security assessments, penetration testing, and secure code review.
• Relevant publications (blogs, tools, conference presentations, CVEs).
• Preferred certifications: OSWE, BSCP.
• Experience with automation and scripting (Python).
• Outstanding English written and oral communication skills.
• Strong understanding of web, mobile, and microservices vulnerabilities.
• Knowledge of malicious code operation and exploitation.
• Strong analytical and problem-solving skills.
• Self-motivated and eager to learn new attack vectors.
• Desire to deeply understand the what, why, and how of security vulnerabilities.

If you are passionate about cybersecurity and ready to make an impact, Deloitte’s ASM team offers a collaborative and innovative environment to grow your career.