Senior Security Researcher - Hunter team (SAST)

Overview

We’re looking for an experienced Security Researcher to join Snyk’s Hunter team and take part in research-led work developing the rules for the Snyk Code SAST engine. We regularly look at new and emerging languages, technologies and frameworks to better model the source code we analyse for our customers, helping them identify potential security vulnerabilities before their code reaches production. 

You’ll Spend Your Time:

• Writing security rules to detect known and unknown vulnerabilities using a proprietary language and built-for-purpose tooling. 
• Taking an active part in shaping existing and future language and framework support for Snyk Code.
• Diving deeper into the mechanics of a programming language or a framework, including looking at best practices, common vulnerable patterns, and novel security issues.
• Dealing with complex customer issues i.e. resolving false positive or false negative issues; to help cement our position as the most accurate tool in the market.
• Leading projects with other teams involved in Snyk Code related to Program Analysis and Machine Learning. You will often collaborate with other teams by providing domain guidance and expertise to enhance the security offering provided by the various Snyk products.
• Taking part in independent research projects on research days and on a rotational basis. 
• Writing blogs about the research projects, i.e: https://snyk.io/blog/finding-yaml-injection-with-snyk-code/, https://snyk.io/blog/the-dangers-of-setattr-avoiding-mass-assignment/. 
• Performing exploratory research in order to better understand potential gaps in the system, or guide our way towards implementation of features.
• Working directly with leading open source maintainers to disclose new security issues and help secure their products.
• Presenting your research at security working groups, conferences, and in publications.

What You’ll Need:

• Application security experience as a developer, pentester or consultant
• Good understanding of major vulnerability types such as XSS, CSRF, SQL Injection, Deserialization, RCE, Buffer Overflow, Use After Free etc.
• Experience with C/C++ or a similar low-level programming language, and with a variety of other high-level languages (Java, C#, Python or similar).
• Interest in learning about the mechanics and inner workings of a language or a framework.
• Strong communication skills in English, spoken and written

We’d be Lucky if You:

• Have experience with SAST concepts and tools
• Have taken part in CTF’s, bug-bounty programs or identified vulnerabilities leading to CVE’s.
• Enjoy hunting for security vulnerabilities through the wilds of open source software security.

#LI-HW1