- Designing and evaluating complex systems for security
- Scope and execute security assessments and vulnerability research
- Perform in-depth security assessments using results from static and dynamic analysis
- Create testing tools to help engineering teams identify security-related weaknesses
- Keep yourself abreast of new TTPs (Tactics, Techniques & Procedures) of the attackers, mimic them in your technical security risk assessments and/or quickly react to new threat scenarios to provide continuous security assurance
- Collaborate with engineering teams to help them triage and fix security issues
- Mentor members of the team in software security as a role model
- 12+ years industry experience with 7+ years in IT security in one or more of the following areas: software/product security assessments, penetration testing, red teaming, web application assessments
- Interest in vulnerability research and exploit development
- Demonstrable experience in designing and evaluating complex systems for security
- Aptitude for self-study, setting and achieving long term goals (for example, learning an unfamiliar programming language)
- Ability to effectively assess and communicate risks and appropriate levels of urgency to management and engineering staff
- Excellent organizational, presentation, verbal, and written communication skills
- This role does not require access to a cleared work environment. Security clearances are not required, and active clearances cannot be sponsored.
- Flexibility to work in Hybrid model (50%) from our Reading office.
- Experience working in a large cloud or Internet software company
- Proficiency with multiple programming languages, preferably Go, Java, Python or C/C++
- 5+ years industry experience in software development
- Ability to perform manual source code reviews in one of the aforementioned languages, or assisted review with code analysis tools
- Hands-on experience in one or more of the following with an interest in doing full time research: cybersecurity consulting, security engineering, vulnerability management, risk assessments, bug bounty hunting, malware analysis, forensics
- OSCP, OSWE certification, or interest in achieving certification
- Experience navigating and working with extremely large codebases is also highly desirable
- Experience using common security assessment tools and techniques in one or more the following categories: Mobile Application Assessment (iOS / Android), Reverse Engineering (. IDA Pro/Ghidra/Radare2), Fuzzing (. Jazzer/AFL/Peach), Web Application assessment (. Burp Suite Proxy, ZAP, REST API testing)
- Proficiency in manual penetration testing in at least TWO or more of the following areas - Mobile, API, Infrastructure, OS, Web Application
- Knowledge of common vulnerabilities in different types of software and programming languages, including: How to test for/exploit them, Real world mitigations that can be applied
- Familiarity with vulnerability classification frameworks (. OWASP Top 10, CVSS, MITRE CVE)
- Ability to threat model systems/applications/platforms to assess design and find flaws that can be exploited
- A team of very skilled and diverse personnel across the globe
- Ability to work in a hybrid work environment
- Exposure to mind blowing large-scale cutting-edge systems
- The resources of a large, global operation while still having the small, start-up feel of a smaller team day to day
- Develop new skills and competencies working with our vast cloud product offerings
- Ongoing extensive training and skills development support to further your career aspirations
- Incredible benefits and company perks
- An organization filled with smart, enthusiastic, and motivated colleagues
- The opportunity to impact and improve our systems and delight our customers
Senior Principal Security Researcher - Reading, United Kingdom - Oracle
Description
We are a world-class team of application security researchers who love new challenges. We are an inclusive and diverse, with a full range of experience and a global reach. We have the resources of a large enterprise and the energy of a start-up, and we're working on a critical software assurance initiative with our cloud and mobile engineering teams. Our mission is to make application security and software assurance a reality, at scale. We're a dedicated team that leverages each other's strengths to produce cutting-edge solutions to difficult problems. Join us to grow your career and create the future of software assurance at scale. #LI-DNI
Work You'll Do
As a member of our team, you will be responsible for planning and delivering in depth security assessments across a variety of products and services. Your next project could be anything from a secure systems design, static and dynamic analysis of a multi-node microservice infrastructure, to writing a fuzzer for an undocumented network protocol or the grammar of a new programming language, or analysis and reverse engineering of firmware used in the thousands of servers supporting our cloud services. Other responsibilities include:
What You'll Bring
Nice to Have
What We'll Give You