Senior Pentest Security Engineer, Penetration Testing

Job summary
Come join our offensive security team dedicated to the detection and exploitation of vulnerabilities affecting Amazon consumer devices. This includes performing low-level reviews of hardware, bootloaders, radios, secure enclaves, or OS security features of devices, service reviews including authentication mechanisms, AI, mobile, & web apps. Engineers are also encouraged to experiment with automated techniques, such as symbolic execution, fuzzing, machine learning, or static analysis.

Amazon Devices (Lab126) is an inventive research and development company that designs and engineers high-profile consumer electronics. Lab126 began in 2004 as a subsidiary of Amazon.com (http://amazon.com/), Inc., originally creating the best-selling Kindle family of products. Since then, we have produced groundbreaking devices like Amazon Echo, Astro, Kuiper, Ring Always Home Cam Drone, Fire tablets, and Fire TV. What will you help us create?

Are you interested in being part of a top-notch security team covering all Amazon consumer devices (including hardware and low-level functionality) as well as key Amazon services supporting our devices (such as Computer Vision, Alexa, Kindle, etc.)? Do you want to be part of an offensive security team dedicated to detection and exploitation of vulnerabilities prior to launch in order to keep Amazon consumer devices and services safe? Your work directly impacts the way our customers, teams, and business across the globe get things done. If you want to keep customers safe, then we have a job for you! You can learn more about security at Lab 126 here: https://www.youtube.com/watch?v=k0UTTxzeGog.

In this role, you will be part of a dedicated team of talented security engineers performing penetration testing exercises to identify vulnerabilities. You will strive to understand systems, software, and services deeply and develop creative ways to break assumptions in order to find vulnerabilities. You care deeply about keeping Amazon customers safe and therefore are passionate about mitigating vulnerabilities/risks by providing actionable guidance to product teams and drive long term security improvements. You're well-known for your excellent prioritization skills as well as your ability to communicate at all levels of an organization. If you're passionate about finding security bugs, writing tools to reduce manual testing, and enjoy seeing your work's impact across Amazon consumer products and services, then this position is for you. Candidates from entry to senior level will all be considered.


Key job responsibilities

• Perform penetration testing exercises across all products, services, and software released by Amazon Lab126 and develop proof of concept exploits.
• Perform vulnerability research using variety of custom tooling and technologies (e.g. symbolic execution, static analyzers, fuzzers, scanners, machine learning, etc).
• Create tools for the discovery of vulnerabilities as well as scale security testing.
• Review technical solutions to provide guidance to help mitigate security vulnerabilities as well as provide actionable long-term risk mitigation guidance to drive security improvements.
• Develop detailed technical documentation describing identified vulnerabilities, associated impact as well as recommendations for guidance for communication with internal engineering stakeholders as well as leadership.

A day in the life

• Perform pentests on yet-to-be-released devices or software ensuring it meets security requirements
• Perform code review of a driver for a new device being launched to our customers
• Write proof-of-concept code to demonstrate the impact of a security issue
• Ensure high security of vendor-provided hardware (such as whether there are security flaws in its boot process, etc.)
• Verify the code fixes made to address security issues
• Develop scripts or tools to automate assessments of targets
• Conduct independent vulnerability research on launched products or dependencies

About the team
Within the Devices and Services Security organization, the internal penetration testing team is responsible for product implementation reviews: penetration testing, fuzzing and vulnerability research. The internal penetration testing team is part of the Devices and Services Security organization, which is responsible for the entire SDLC, vulnerability management, incident response, and overall security across Amazon Consumer Devices (Kindle, Ring, FireOS, Kuiper, Alexa, eero and more).

While the majority of our Security roles are based in the US west coast, by applying to this position your application will be considered for all locations we hire for in the United States, including but not limited to: Seattle, WA; New York, NY; Bellevue, WA; Sunnyvale, CA; Austin, TX.

Our team puts a high value on work-life balance. Striking a healthy balance between your personal and professional life is crucial to your happiness and success here, which is why we aren’t focused on how many hours you spend at work or online. Instead, we’re happy to offer a flexible schedule so you can have a more productive and well-balanced life—both in and outside of work.

Our team is dedicated to supporting new members. We have a broad mix of experience levels and tenures, and we’re building an environment that celebrates knowledge sharing and mentorship. We care about your career growth and strive to assign projects based on what will help each team member develop into a better-rounded engineer and enable them to take on more complex tasks in the future.

Basic Qualifications

• 4+ years of professional software development experience
• 3+ years of programming experience with at least one software programming language
• 2+ years of experience contributing to the system design or architecture (architecture, design patterns, reliability and scaling) of new and current systems
• Experience as a mentor, tech lead OR leading an engineering team

• A Bachelor’s degree in Computer Science, Cybersecurity, Computer Engineering, or equivalent professional experience can be used in lieu of a degree.
• Minimum of 6 years of experience in source code auditing, bug hunting or CTF experience.
• Minimum of 6 years of experience with manually auditing source code (one or more of: C, C++, Java, Python, JavaScript, Rust, or others) to find security issues.
• Minimum of 6 years of professional experience with security engineering practices such as in web application security, network security, authentication and authorization protocols, cryptography, automation and other software security disciplines.

Preferred Qualifications

Any of the following are preferred but not required to be considered for this role:

• Master’s degree in Computer Science, Computer Engineering, Electrical Engineering or equivalent
• 6 years of experience scripting in Python or other equivalent interpreted languages (ruby, bash, JavaScript, Go)
• 4 year of development experience in C, C++, assembly (x86, x86-64, ARM) and/or Java
• Experience in embedded/IoT device security or web services security specifically, with experience of performing software security audits, vulnerability discovery and analysis.
• Experience with common software security vulnerabilities and methods of exploitation, such as memory corruption, privilege escalation, web application exploitation, file format vulnerabilities, protocol-based weaknesses, etc.
• Experience with static and dynamic tools for vulnerability detection and exploit mitigation techniques
• Product security incident response in mobile, IoT or cloud services verticals
• Experience with extracting firmware, reverse engineering a variety of hardware and software, including firmware, operating systems, and applications, binary analysis and proof of concept exploit development
• Knowledge of common wireless connectivity protocols with focus on protocol and implementation security vulnerabilities (e.g. Bluetooth, WiFi, 802.15.4)
• Knowledge of hardware security mechanisms, including secure boot, trusted execution environments
• Meets/exceeds Amazon’s leadership principles requirements for this role

Amazon is committed to a diverse and inclusive workplace. Amazon is an equal opportunity employer and does not discriminate on the basis of race, national origin, gender, gender identity, sexual orientation, protected veteran status, disability, age, or other legally protected status. For individuals with disabilities who would like to request an accommodation, please visit https://www.amazon.jobs/en/disability/us.

Pursuant to the Los Angeles Fair Chance Ordinance, we will consider for employment qualified applicants with arrest and conviction records.

Pursuant to the San Francisco Fair Chance Ordinance, we will consider for employment qualified applicants with arrest and conviction records