Loading...

Oracle Hiring for Principal Security Researcher at Columbia, MD

Oracle

br{display:none;}.css-58vpdc ul > li{margin-left:0;}.css-58vpdc li{padding:0;}]]>

This is a role for someone who loves to collaborate with teams of very experienced developers to discover and help solve challenging security problems. You will bring your many years of experience conducting security research to work on a business-critical, greenfield software assurance project in collaboration with our cloud and mobile engineering teams. This role has the opportunity to bridge several disciplines to discover obscure vectors and novel kill chains – it’s fun work.

Oracle’s Software Assurance organization is responsible for application security and software assurance for some of Oracle’s most advanced cloud products. We are an inclusive and diverse distributed team of expert application security researchers who thrive on new challenges. Our scope includes emergent security challenges for the most demanding cloud and security assurance use cases in the industry.

This is a role for someone who loves to collaborate with teams of very experienced developers to discover and help solve challenging security problems. You will bring your many years of experience conducting security research to work on a business-critical, greenfield software assurance project in collaboration with our cloud and mobile engineering teams. This role has the opportunity to bridge several disciplines to discover obscure vectors and novel kill chains – it’s fun work.

As a member of our team, you will be responsible for planning and delivering in depth security assessments across a variety of products and services. The ecosystems you’ll be testing and improving span from source code review of backend services, to static and dynamic analysis of a mobile application, to review or creation of technical security designs.

Responsibilities include:

  • Scope and execute security assessments across a broad range of on-premise software, mobile applications, cloud services and infrastructure, document vulnerabilities and findings, and help drive designs to mitigate risk
  • Perform in-depth security assessments using your source code review skills, leveraging modern tools to find your targets
  • Create testing tools to help engineering teams identify security-related weaknesses early and fight regression
  • Collaborate with engineering teams to help them triage and fix security issues
  • Keep yourself abreast of new TTPs (Tactics, Techniques & Procedures) of the attackers, mimic them in your security assessments and/or quickly react to new threat scenarios to provide continuous security assurance
  • Mentor junior members of the team in software security as a role model

What You’ll Bring

  • Aptitude for self-study, setting and achieving long term goals (for example, learning an unfamiliar programming language)
  • Ability to effectively assess and communicate risks and appropriate levels of urgency to management and engineering staff
  • Excellent organizational, presentation, verbal, and written communication skills
  • Proficiency with two or more programming languages, preferably Go, Java, Python or C/C++
  • Must be legally authorized to work in the United States without the need for employer sponsorship, now or at any time in the future
  • This role offers domestically located flexibility of workplace, requiring 50% travel to either our Columbia, MD or Denver, CO office
  • This role does not require access to a cleared work environment. Security clearances are not required, and active clearances cannot be sponsored.

Nice to Have

  • Experience working in a large cloud provider or Internet software company
  • Ability to perform manual source code reviews in one of the aforementioned languages, or assisted review with code analysis tools such as CodeQL
  • Experience navigating and working with extremely large codebases is also highly desirable
  • Experience using common security assessment tools and techniques in one or more the following categories:
    • Proficiency in performing mobile application assessment (iOS / Android)
    • Reverse Engineering (e.g., IDA Pro/Ghidra/Radare2) and debugging codebase with the objective to find security gaps/vulnerabilities
    • Proficiency in Fuzzing (e.g., Jazzer/AFL/Peach) techniques to inject invalid, malformed, or unexpected inputs into a system to reveal software defects and vulnerabilities.
    • Proficiency in advanced Mobile, API, Infrastructure, Web Application penetration testing to find vulnerabilities such as insecure Java/PHP/PHAR deserialization, XXE, HTTP desynchronization, cryptography weaknesses (exploiting ECB Shuffling, CBC Bit Flipping etc.), Mass assignments, template injections, HTTP/2 and HTTP/3 protocol issues etc.
  • Knowledge of common vulnerabilities in different types of software and programming languages, including:
    • How to test for/exploit, develop POC
    • Real world mitigations that can be applied
    • Familiarity with vulnerability classification frameworks
    • Ability to threat model systems/applications/platforms to assess design and find flaws that can be exploited

Why you should join our team

  • A very skilled and diverse team spread across the globe
  • Impact at a massive scale
  • The resources of a global business while with the “start-up” feel that comes from a smaller team
  • Develop new skills and competencies working with our vast cloud product offerings
  • Ongoing extensive training and skills development to further your career aspirations
  • Incredible benefits and company perks
  • An organization filled with smart, enthusiastic, and motivated colleagues
  • The opportunity to impact and improve our systems and delight our customers
Upload your CV/resume or any other relevant file. Max. file size: 64 MB.


You can apply to this job and others using your online resume. Click the link below to submit your online resume and email your application to this employer.

Leave a Reply

Your email address will not be published. Required fields are marked *