Do you want to build a career that is truly worthwhile? Working at the World Bank provides a unique opportunity for you to help our clients solve their greatest development challenges. The World Bank consists of two entities – the International Bank for Reconstruction and Development (IBRD) and the International Development Association (IDA). It is a global development cooperative owned by 189 member countries. As the largest development bank in the world, the World Bank provides loans, guarantees, risk management products, and advisory services to middle-income and creditworthy low-income countries, and coordinates responses to regional and global challenges. Visit www.worldbank.org.
ITS Vice Presidency Context:
Information and Technology Solutions (ITS) enables the WBG to achieve its mission of ending extreme poverty and promote shared prosperity in a sustainable way by delivering transformative information and technologies to its staff working in over 150 locations.
Our vision is to transform how the Bank Group accomplishes its mission through information and technology. In this fast-paced, ever-changing world, the formulation and implementation of the ITS strategy is an ongoing, iterative process of learning and adaptation developed through extensive consultations with business partners throughout the World Bank Group.
ITS shapes its strategy in response to changing business priorities and leverages new technologies to achieve three high-level business outcomes: business enablement, by providing Bank Group units with innovative digital tools and technologies to transform how they deliver value for their clients; empowerment & effectiveness, by ensuring that all Bank Group staff are connected, able to find information, and productive to accelerate the delivery of development solutions globally; and resilience, by equipping the Bank Group to provide risk-based cybersecurity and robust data protection for a global network and a growing cloud platform.
Implementation of the strategy is guided by three core principles. The first is to deliver solutions for business partners that are customer-centric, innovative, and transformative. The second is to provide the Bank Group with value for money with selective and standard technologies. The third principle is to excel at the basics by providing a high performing, robust, and resilient IT environment for the organization.
The ITS Information Security and Risk Management (ITSSR) unit, headed by the Chief Information Security Officer (CISO), is responsible for providing leadership in managing the functions and activities of information security and risk across the World Bank Group, enabling the achievement of WBG’s business objectives. ITSSR enables and facilitates a risk aware culture, ensures that WBG information assets are protected in an effective, efficient, and balanced manner; and IT security and risk management efforts throughout the World Bank Group are coordinated and aligned to the Bank’s business and IT strategy. ITSSR establishes and maintains the World Bank Group’s IT and InfoSec policies and standards; develops and engineers the WBG’s information security plans and solutions; responds to security incidents; and ensures that the information risks are identified, assessed, and managed in consistent with the overall risk management approach and with the established appetite and tolerance.
We provide a meaningful, open, and collaborative environment. We have many interesting problems to solve, providing you an opportunity to develop your skills while contributing to the mission of the bank. We value teamwork, openness, curiosity, and persistence.
Roles & Responsibilities:
Seeking a talented individual, passionate about cyber security and motivated to join our security engineering team as a penetration tester / red team member.
The Information Security Officer – Penetration Tester / Red Team member will have overall responsibilities for maintaining hands-on expertise with advanced attacker tactics, techniques and procedures (TTPs), for continuously assessing the strength of WBG systems, applications and control environment, and for collaborating with others team members for remediation and additional validation.
The primary responsibilities include, but are not limited to:
•Propose, plan, and execute advanced penetration testing and ethical hacking exercises in a complex and technologically diverse IT environment.
•Provide accurate and detailed reporting of penetration test findings and propose solutions for vulnerability remediation.
•Perform follow-up assessments of remediated systems to validate that any issues identified have been adequately addressed.
•Design and develop custom tooling required for executing advanced attacks and evading preventative and detective controls.
•Continuously stay up to date with attacker tactics, techniques, and procedures (TTPs).
•Perform research on emerging technologies and develop red team exercises to test new software and hardware technologies being considered for adoption.
•Perform security assessments on high risk and financially sensitive business applications.
•Collaborate with World Bank Group’s incident response and security engineering teams to improve detective and preventative controls.
•Work closely with the security operations center (SOC) to leverage intelligence sources, identify new threats in the wild and verify the organization’s security posture against them.
•Act as one of the organization’s security subject matter experts, and field advanced technical questions from other internal IT teams.
•Stay up to date on current security trends, advisories, and academic research that is relevant to World Bank Group’s IT environment.
•Master’s degree in Computer science with 5 years relevant experience OR equivalent combination of education and experience.
•Expert level understanding and demonstrated ability to exploit vulnerabilities in at least one security domain, and advanced understanding of at least two others. For example, web application testing, cloud penetration testing, wireless network attacks, application vulnerability fuzzing, Linux/Windows system exploitation, anti-virus/EDR evasion, container security etc.
•Strong skills with network protocol analyzers, software debuggers and interactive disassemblers (e.g. Wireshark, WinDbg, IDA Pro).
•Ability to craft proof-of-concept exploits and attack payloads that bypass technical defensive controls.
•Advanced understanding of cloud-based IaaS, PaaS and SaaS solutions and typical security concerns associated with them.
•Expert level knowledge of various security assessment frameworks such as Metasploit Pro, PowerShell Empire and Burp Suite Pro.
•Strong working knowledge of layer 2-4 networking concepts. Good understanding of how routing, DNS, and network ACLs work.
•Working knowledge of OWASP and the MITRE ATT&CK framework.
•Experience with modern application and user-aware “next-generation” firewalls and intrusion prevention systems is a plus.
•Practical understanding of cryptography and how it is applied in various software environments.
•Prior experience with malware analysis and reverse engineering would be a plus.
•Outstanding analytical and problem-solving mindset, especially the ability to accurately define a problem and identify the root cause.
•Excellence in communicating risk and remediation requirements from assessments.
•Self-starter requiring minimal supervision.
•Motivated, persistent and agile. Demonstrate maturity and sound judgement.
•Highly organized and detail oriented.
World Bank Group Core Competencies
The World Bank Group offers comprehensive benefits, including a retirement plan; medical, life and disability insurance; and paid leave, including parental leave, as well as reasonable accommodations for individuals with disabilities.
We are proud to be an equal opportunity and inclusive employer with a dedicated and committed workforce, and do not discriminate based on gender, gender identity, religion, race, ethnicity, sexual orientation, or disability.
Learn more about working at the World Bank and IFC, including our values and inspiring stories.