To perform advanced vulnerability assessments and penetration testing activities across applications, systems, and network infrastructure in order to proactively identify security weaknesses, assess risk exposure, and ensure remediation prior to system go-live.

The role contributes to strengthening the Bank’s cybersecurity posture by enforcing secure development practices and supporting Security by Design implementation across IT initiatives.

---

- CRITICAL ACCOUNTABILITIES

 Vulnerability Assessment & Penetration Testing (VAPT)

Major Activities:

• Execute internal and external penetration testing on:
• Web applications, APIs, Mobile applications
• Core Banking and Digital Banking systems
• Network infrastructure (internal/external, wired/wireless)
• Servers and operating systems
• Perform vulnerability scanning and configuration security assessments.
• Validate and exploit vulnerabilities in accordance with OWASP, PTES, and industry best practices.
• Conduct re-testing to verify remediation effectiveness.
• Prepare comprehensive technical reports including risk rating, proof-of-concept (PoC), and remediation recommendations.
• Provide technical consultation to development and infrastructure teams on mitigation strategies.

Outcomes / Performance Measures:

• Completion of assigned penetration testing plan.
• % of High/Critical vulnerabilities identified and reported accurately.
• % of vulnerabilities remediated within agreed SLA.
• Quality and clarity of security assessment reports.

---

Security Review in IT Projects (Secure SDLC)

Major Activities:

• Participate in security reviews prior to system go-live.
• Assess security risks related to Change Requests (CRs).
• Validate implementation of Security by Design principles throughout SDLC.
• Conduct security assessments for third-party vendors and outsourced solutions when assigned.

Outcomes / Performance Measures:

• Number of projects reviewed before go-live.
• Reduction of security findings detected post-production.
• Compliance with internal security standards and regulatory requirements.

 Continuous Improvement & Threat Research

Major Activities:

• Research emerging threats, attack techniques, and newly discovered vulnerabilities.
• Propose improvements to penetration testing methodology and automation.
• Support Red Team simulations and incident response exercises when required.
• Contribute to development of internal security guidelines and testing procedures.

Outcomes / Performance Measures:

• Adoption of improved testing techniques/tools.
• Contribution to enhanced detection and prevention capabilities.

---

 AUTHORITY / RESPONSIBILITY

Decisions within Authority:

• Risk severity classification and remediation prioritization.
• Selection of appropriate testing methodology and technical approach.
• Technical recommendations for vulnerability mitigation.

Decisions Requiring Management Approval:

• Acceptance of residual risk impacting critical business services.
• Investment in new security tools or external penetration testing services.
• Engagement with regulators or external authorities.

---

QUANTITATIVE DIMENSIONS

• Annual penetration testing coverage (% of critical systems assessed).
• Number of applications/systems assessed per year.
• Vulnerability remediation rate within SLA.
• Achievement of annual KPIs and objectives within allocated budget.

---

REPORTING RELATIONSHIP

• Reports directly to: Head of Application Security / Cybersecurity Manager.
• Works closely with:
• IT Development Teams
• Infrastructure & Operations
• Risk Management
• Compliance & Internal Audit
• External Vendors (as assigned)

---

JOB REQUIREMENTS

 Educational Qualifications: Bachelor’s Degree in Information Technology, Computer Science, Cybersecurity, Cryptography, or related discipline.

Relevant Knowledge / Expertise

• Minimum 3–5 years of experience in Information Security, preferably within banking or financial services.
• Strong knowledge of:
• Web, API, and Mobile security testing
• Network and system security
• Secure coding principles
• Common attack vectors and exploitation techniques
• Hands-on experience with tools such as:
• Kali Linux
• Burp Suite
• Metasploit
• AppScan
• Nessus or equivalent VA tools
• Solid understanding of OWASP Top 10 and international security standards (ISO 27001, PCI-DSS).
• Ability to review and analyze source code (Java, .NET, Python, PHP, etc.) is an advantage.
• Basic understanding of encryption and cryptographic principles.

---

Skills & Competencies

• Strong analytical and problem-solving capability.
• Ability to produce structured and professional technical reports.
• Effective communication skills with technical and non-technical stakeholders.
• Ability to work independently under pressure.
• High level of integrity and confidentiality.
• Good understanding of risk management principles and regulatory environment in banking.

---

PREFERRED CERTIFICATIONS: OSCP (highly preferred),CEH,GPEN,GWAPT,CISSP (advantage)

II. Compensation & Benefits

- Competitive salary package: 40-50M (Senior) / 35M (Middle) x 14–15 months/year.

- Performance-based bonuses: business results, individual performance, innovation, responsibility, etc.

- Health insurance & wellness: GPBankCare package (provided by Bao Viet Insurance) extended to employees and family members.

- Learning & Development: support for professional training courses and international certification exams.

- Annual company trip and vacation allowance: Up to 6M/year.

- Holiday & special occasion bonuses (National holidays: Sept 2nd, Apr 30th, Hung Kings’ Festival, birthdays, weddings, etc.): Up to 3M/times.

 

🌱 WORKING HOURS AND LOCATION

I. Working Hours

Standard working hours: Monday – Friday (flexible start time: 8:00 / 8:30 / 9:00) and 2 Saturday mornings per month (8:00–12:00).

II. Work Locations

- Location 03: 45 Nguyen Van Huyen, Cau Giay, Ha Noi (New GPBank Technology Headquarters).

🌱 Receive additional advice on the job opportunity: 

📞 Phone/Zalo: 0904.543.958
📧 Email: nhungbth@gpbank.com.vn

•