Penetration tester

Job Description

Job Title: Cybersecurity Consultant – Web Application Penetration Tester (Contract)

Location: Remote

Contract Duration: Starting 1 September 2025 (with project completion by 31 December 2025)

Organization: United Nations Office on Drugs and Crime (UNODC)

Application Deadline: 19 May 2025, 03:00 PM Vienna Time

Type: Short-term Consultancy / Project-Based

Project Summary:

UNODC is seeking a qualified and experienced Cybersecurity Consultant or Firm to conduct a penetration test and security assessment of the goAML web application. The consultant will be responsible for performing a comprehensive evaluation of the application's security posture, identifying vulnerabilities, and providing remediation recommendations in alignment with international standards.

Key Responsibilities:

• Plan and execute penetration testing on the goAML web application using industry-standard methodologies.
• Perform risk assessments and identify vulnerabilities across the web application's exposed interfaces and services.
• Deliver a comprehensive final report detailing:
• Methodology and tools used
• Summary and key findings
• Risk assessment and severity levels
• Reproduction steps for each finding
• Remediation recommendations (short and long term)
• Provide a retest report to verify implementation of recommended fixes.
• Maintain confidentiality and ensure all testing artifacts are handled securely.
• Ensure compliance with NIST 800-115 and OWASP Top 10 Web Security Risks.

Requirements:

Mandatory Qualifications:

• Active ISO27001 certification.
• Penetration testers must have a minimum of 5 years of experience in security testing of FINTECH applications.
• Must possess at least one of the following certifications:
• CEH, OSCP, CWAPT, GWAPT, eWPT, CISSP, or MSc in Information Security.
• Proven track record of conducting security assessments for:
• Large-scale web applications
• FINTECH solutions
• Security-critical systems
• Demonstrated experience working with governmental or international organizations.
• Full commitment to:
• Internationally recognized testing standards
• Confidentiality
• Providing a complete and verifiable risk report

Technical Environment:

• Application built on .NET 8, hosted on IIS
• Angular SPA, APIs developed in C# WebApi/REST
• ~218 API endpoints, 30+ screens, 2FA enabled
• MVC, Web API, and OData Controllers
• Authentication via cookies, Bearer, and optionally Basic Auth
• Uses WebSockets and role-based access control (RBAC)

Deliverables:

• Initial penetration testing and comprehensive security report
• Verification (retest) of resolved vulnerabilities within 60 days
• Addendum report confirming implemented fixes
• Compliance with all terms outlined by UNODC

Evaluation Criteria:

• Technical compliance with requirements
• Competitive pricing
• Proven capacity to deliver remotely, securely, and on time