Senior Principal Offensive Security Researcher

Your next project could be anything from secure systems design, static and dynamic analysis of a multi-node Java infrastructure, to writing a fuzzer for an undocumented network protocol or the grammar of a new programming language, to analysis and reverse engineering of firmware used in the thousands of servers supporting our cloud services. Other responsibilities include:

• Designing and evaluating complex systems for computer security
• Scope and execute security assessments and vulnerability research
• Perform in-depth security assessments using results from static and dynamic analysis
• Create testing tools to help engineering teams identify security-related weaknesses
• Collaborate with engineering teams to help them triage and fix security issues
• Mentor members of the team in computer and software security as a role model and team leader

Career Level - IC5

What You’ll Bring

• Bachelor’s or Master’s degree in Computer Science or related field (e.g. Electrical Engineering)
• 15+ years of relevant experience in one or more of the following areas: software/product security assessments, penetration testing, red teaming, web application assessments
• Interest in vulnerability research and exploit development – leading groups of 5 -10 engineers past experience required
• Understanding of operating systems, CPU instruction sets and their associated security designs
• Understanding of exploit mitigations (DEP, ASLR, CFG, PAC, CET, etc.)
• Demonstrable experience in designing and evaluating complex systems for security
• Aptitude for self-study, setting and achieving long term goals (for example, learning an unfamiliar programming language)
• Ability to effectively assess and communicate risks and appropriate levels of urgency to management and engineering staff
• Excellent organizational, presentation, verbal, and written communication skills; strong writing skills are required

Nice to Have

• Experience working in a large cloud or Internet software company
• Proficiency with multiple programming languages, preferably Go, Java, Python or C/C++
• Ability to perform manual source code reviews in one of the aforementioned languages, or assisted review with code analysis tools such as CodeQL
• Experience navigating and working with extremely large codebases is also highly desirable
• Experience using common security assessment tools and techniques in one or more the following categories:
• Mobile Application Assessment (iOS / Android)
• Reverse Engineering (e.g. IDA Pro/Ghidra/Frida)
• Fuzzing (e.g. Jazzer/AFL/Peach)
• Web Application assessment (e.g. Burp Suite Proxy, ZAP, REST API testing)
• Proven experience with security research including any published CVEs
• Experience developing proof of concept exploits bypassing modern exploit mitigations
• Active participant or organiser of Capture The Flag competitions
• Knowledge of common vulnerabilities in different types of software and programming languages, including:
• How to test for/exploit them
• Real world mitigations that can be applied
• Familiarity with vulnerability classification frameworks (e.g. OWASP Top 10, CVSS, MITRE CVE)

What We’ll Give You

• A team of very skilled and diverse personnel across the globe
• Ability to work in a hybrid work environment
• Exposure to mind-blowing large-scale cutting-edge systems
• The resources of a large, global operation while still having the small, start-up feel of a smaller team day to day
• Develop new skills and competencies working with our vast cloud product offerings
• Ongoing extensive training and skills development to further your career aspirations
• Incredible benefits and company perks
• An organization filled with smart, enthusiastic, and motivated colleagues