Senior Principal Security Researcher - Reading, United Kingdom - Oracle

    Oracle
    Oracle Reading, United Kingdom

    1 week ago

    Default job background
    Regular Employee
    Description

    We are a world-class team of application security researchers who love new challenges. We are an inclusive and diverse, with a full range of experience and a global reach. We have the resources of a large enterprise and the energy of a start-up, and we're working on a critical software assurance initiative with our cloud and mobile engineering teams. Our mission is to make application security and software assurance a reality, at scale. We're a dedicated team that leverages each other's strengths to produce cutting-edge solutions to difficult problems. Join us to grow your career and create the future of software assurance at scale. #LI-DNI

    Work You'll Do

    As a member of our team, you will be responsible for planning and delivering in depth security assessments across a variety of products and services. Your next project could be anything from a secure systems design, static and dynamic analysis of a multi-node microservice infrastructure, to writing a fuzzer for an undocumented network protocol or the grammar of a new programming language, or analysis and reverse engineering of firmware used in the thousands of servers supporting our cloud services. Other responsibilities include:

  • Designing and evaluating complex systems for security
  • Scope and execute security assessments and vulnerability research
  • Perform in-depth security assessments using results from static and dynamic analysis
  • Create testing tools to help engineering teams identify security-related weaknesses
  • Keep yourself abreast of new TTPs (Tactics, Techniques & Procedures) of the attackers, mimic them in your technical security risk assessments and/or quickly react to new threat scenarios to provide continuous security assurance
  • Collaborate with engineering teams to help them triage and fix security issues
  • Mentor members of the team in software security as a role model

    • What You'll Bring

  • 12+ years industry experience with 7+ years in IT security in one or more of the following areas: software/product security assessments, penetration testing, red teaming, web application assessments
  • Interest in vulnerability research and exploit development
  • Demonstrable experience in designing and evaluating complex systems for security
  • Aptitude for self-study, setting and achieving long term goals (for example, learning an unfamiliar programming language)
  • Ability to effectively assess and communicate risks and appropriate levels of urgency to management and engineering staff
  • Excellent organizational, presentation, verbal, and written communication skills
  • This role does not require access to a cleared work environment. Security clearances are not required, and active clearances cannot be sponsored.
  • Flexibility to work in Hybrid model (50%) from our Reading office.

    • Nice to Have

  • Experience working in a large cloud or Internet software company
  • Proficiency with multiple programming languages, preferably Go, Java, Python or C/C++
  • 5+ years industry experience in software development
  • Ability to perform manual source code reviews in one of the aforementioned languages, or assisted review with code analysis tools
  • Hands-on experience in one or more of the following with an interest in doing full time research: cybersecurity consulting, security engineering, vulnerability management, risk assessments, bug bounty hunting, malware analysis, forensics
  • OSCP, OSWE certification, or interest in achieving certification
  • Experience navigating and working with extremely large codebases is also highly desirable
  • Experience using common security assessment tools and techniques in one or more the following categories: Mobile Application Assessment (iOS / Android), Reverse Engineering (. IDA Pro/Ghidra/Radare2), Fuzzing (. Jazzer/AFL/Peach), Web Application assessment (. Burp Suite Proxy, ZAP, REST API testing)
  • Proficiency in manual penetration testing in at least TWO or more of the following areas - Mobile, API, Infrastructure, OS, Web Application
  • Knowledge of common vulnerabilities in different types of software and programming languages, including: How to test for/exploit them, Real world mitigations that can be applied
  • Familiarity with vulnerability classification frameworks (. OWASP Top 10, CVSS, MITRE CVE)
  • Ability to threat model systems/applications/platforms to assess design and find flaws that can be exploited

    • What We'll Give You

  • A team of very skilled and diverse personnel across the globe
  • Ability to work in a hybrid work environment
  • Exposure to mind blowing large-scale cutting-edge systems
  • The resources of a large, global operation while still having the small, start-up feel of a smaller team day to day
  • Develop new skills and competencies working with our vast cloud product offerings
  • Ongoing extensive training and skills development support to further your career aspirations
  • Incredible benefits and company perks
  • An organization filled with smart, enthusiastic, and motivated colleagues
  • The opportunity to impact and improve our systems and delight our customers