Senior Principal Security Analyst

Oracle Corporation ,
Reading, Berkshire

Overview

Job Description

The Global Product Security Ethical Hacking Team (EHT) is seeking experienced, passionate and talented security researchers who relish the challenge of assessing large, complex software products. As a member of the EHT you will be responsible for planning and delivering in depth security assessments across Oracle's entire product and service portfolio. With hundreds of products spanning many different vertical markets, your next project could be anything from static and dynamic analysis of a Java infrastructure with dozens of nodes to a fuzzer for an undocumented network protocol or the grammar of a new language to analysis and reverse engineering of firmware used in servers supporting our cloud services. Creativity is highly valued; finding novel bugs then stitching them together to create something greater than the sum of their parts is essential in this role. This isn't a run-of-the-mill pentesting role where you grind out web application assessments week in week out. The EHT is a dedicated security research group who invest the same time and effort you would expect from a state-sponsored APT, striving to advance the state of the art and find the truly critical bugs at the heart of a product. Unlike an APT team we're not only invested in finding bugs but also making sure they are fixed correctly and don't happen again. We don't just need people who can find CVSS 10 bugs, we need people who can use their skills and share their expertise to effect meaningful change across the company. A successful candidate must have genuine excitement for and interest in security, as well as the desire to share knowledge and help others learn. Your work will benefit thousands of Oracle engineers worldwide and shape the future of product security within one of the largest software companies in the world. If this sounds like you, get in touch! Profile: -5 years industry experience in a software/product assessment or penetration testing role -Proficiency with one or more programming languages, preferably C/C or Java -Extensive experience in vulnerability research and POC exploit development on Linux or Windows -Experience using common software security assessment tools in the following categories o Reverse Engineering (e.g. IDA Pro/Ghidra/Radare2) o Network analysis (e.g. Wireshark/tcpdump) o Program analysis (e.g. GDB/WinDbg/Intel Pin/SemmeQL) o Fuzzing tools (e.g. Peach/AFL) o Web Application assessment (e.g. BurpSuite Proxy, SoapUI, postman) Deep understanding of modern cryptography, and the ability to write proof of concept code to demonstrate flawed cryptographic implementations Experience with threat modelling and architecture analysis of complex applications Extensive knowledge of common vulnerabilities in different types of software and programming languages, including: o How to test for/exploit them o Real world mitigations that can be applied o Familiarity with vulnerability classification frameworks (e.g. OWASP Top 10) Required Soft Skills -Aptitude for self-study, setting and achieving long term goals (for example, learning an unfamiliar programming language) -Ability to effectively assess and communicate risks and appropriate levels of urgency to management and engineering staff -Excellent organizational, presentation, verbal and written communication skills Desirable Skills/Qualifications -Bachelor's or Master's degree in Computer Science or related field (e.g. Electrical Engineering) -Experience working in a large cloud or Internet software company -- Role's core responsibilities: -Scope and execute security assessments across a broad range of on-premise and cloud services; develop proof-of-concept code or end-to-end exploits for bugs you've identified -Create testing tools to help engineering teams identify weaknesses in their own code -Collaborate with engineering teams to help them triage and fix security issues, identifying systemic security weaknesses to create secure coding guidance that will educate all engineering teams within Oracle documentation, presentations and supporting material to deliver your findings to senior figures within the development organisation and your own management chain Design, develop, troubleshoot and debug software programs for databases, applications, tools, networks etc. As a member of the software engineering division, you will take an active role in the definition and evolution of standard practices and procedures. Define specifications for significant new projects and specify, design and develop software according to those specifications. You will perform professional software development tasks associated with the developing, designing and debugging of software applications or operating systems. Provide leadership and expertise in the development of new products/services/processes, frequently operating at the leading edge of technology. Recommends and justifies major changes to existing products/services/processes. BS or MS degree or equivalent experience relevant to func