Educational requirements: Bachelor
English requirements: Competent English
Requirements for skilled employment experience for years: 1-3 years
Required residence status: Temporary visa, Permanent resident, Citizen
Accept remote work: unacceptable
Who We Are:
We are a world-class team of high caliber application security researchers and analysts who thrive on new challenges. We are an inclusive and diverse team with a full spectrum of experience distributed globally. We have the resources of a large enterprise and the energy of a start-up, working on a critical Greenfield software assurance project collaboratively with our cloud and mobile engineering teams. The Software Assurance organization has the mission is to make application security and software assurance, at scale, a reality. We are a dedicated team, leveraging each other’s insights and abilities to produce cutting edge solutions to difficult problems through automation and CI/CD. Join us to grow your career and create the future of software assurance at scale together.
Work You’ll Do:
As a member of our team, you will be responsible for planning and delivering in depth security assessments across a variety of products and services. Your next project could be anything from static and dynamic analysis of a multi-node Java infrastructure, to writing a fuzzer for an undocumented network protocol or the grammar of a new programming language, to analysis and reverse engineering of firmware used in the thousands of servers supporting our cloud services.
Few other responsibilities includes as below:
-Scope and execute security assessments across a broad range of on premise software, cloud services and infrastructure
-Perform in-depth security assessments leveraging results from other assessments such as static, dynamic, pen testing, red team operations, bug bounty, responsible disclosure and etc.
-Create testing tools to help engineering teams identify security-related weaknesses
-Collaborate with engineering teams to help them triage and fix security issues
-Keep yourself abreast of new TTPs (Tactics, Techniques & Procedures) of the attackers, mimic them in your security assessments, quickly react to new threat scenarios and share them with the broader security teams across Oracle
-Mentor junior members of the team in software security as a role model
What You’ll Bring:
-Bachelor’s or Master’s degree in Computer Science or related field (e.g. Electrical Engineering)
-10+ years industry experience with 5+ years in IT security in one or more of the following areas: software/product security assessments, penetration testing, red teaming, web application assessments
-Aptitude for self-study, setting and achieving long term goals (for example, learning an unfamiliar programming language)
-Ability to effectively assess and communicate risks and appropriate levels of urgency to management and engineering staff
-Excellent presentation, verbal, and written communication skills
-Open to work in Hybrid model from our North Ryde office
Nice to Have:
-Experience working in a large cloud or Internet software company
-Proficiency with one or more programming languages, preferably Go, Java, Python or C/C++
-Ability to perform manual source code reviews in one of the aforementioned languages, or assisted review with code analysis tools such as CodeQL
-Experience navigating and working with extremely large codebases is also highly desirable
Experience using common security assessment tools and techniques in one or more the following categories:
-Proficiency in performing mobile application assessment (iOS / Android)
-Reverse Engineering (e.g. IDA Pro/Ghidra/Radare2) and debugging codebase with the objective to find security gaps/vulnerabilities
-Proficiency in Fuzzing (e.g. Jazzer/AFL/Peach) techniques to inject invalid, malformed, or unexpected inputs into a system to reveal software defects and vulnerabilities.
-Proficiency in manual penetration testing in at least TWO or more of the following areas - Mobile, API, Infrastructure, OS, Web Application
-Ability to discover hard-to-find vulnerabilities such as insecure Java/PHP/PHAR deserialization, XXE, HTTP desynchronization, cryptography weaknesses (exploiting ECB Shuffling, CBC Bit Flipping and etc.), Mass assignments, template injections, HTTP/2 and HTTP/3 protocol issues and etc.
Knowledge of common vulnerabilities in different types of software and programming languages, including:
-How to test for/exploit them
-Real world mitigations that can be applied
-Familiarity with vulnerability classification frameworks (e.g. OWASP Top 10, CVSS, MITRE CVE)
-Ability to threat model systems/applications/platforms to assess design and find flaws that can be exploited
