Web Application Security Assessment and Research Engineer
Mountain View, CA
Applications have closed
Samsung Research America
For more than 70 years, Samsung has been at the forefront of innovation. Our discoveries, inventions and breakthrough products have helped shape the history of the digital revolution. We continue to expand our global reach and open new...Title: Web Application Security Assessment and Research Engineer
Company: Samsung Research America (SRA)
Lab: MPS/ B2B
Location: Mountain View, CA
General Description:
Samsung is constantly working to improve the usefulness and security of its mobile devices through the addition of integrated web services. These services must be founded on a strong basis of Identity and Authorization Management. Samsung is looking for candidates to help evaluate and improve the security of its next generation IAM systems, which will tie together products ranging from Find My Mobile to Samsung health, and provide users with easier ability to authenticate and delegate authority to 3rd party services.
Position Summary:
Candidates working in this position will focus on vulnerability analysis and pen testing of Samsung’s next generation Identity and authorization management service, and other integrated web services. You will analyze our distributed system’s web applications, server configurations, protocols, and cryptography using both pen testing and code review. You will have access to previous findings and system design documentation to streamline your process. Previously published research results conference, CVE, or otherwise, are encouraged.
Technical Keywords:
Exploitation, Web application security, CSRF/XSS, IAM, OAuth, OIDC, pen testing, security research, code review, network security, cryptography, protocols, OWASP top 10, authentication
Responsibilities:
- Review designs of novel distributed IAM features
- Analyze source code for core IAM components and integrated web applications
- Pen test new and existing systems using tools of your choice, e.g., Burp Suite
- Audit APIs for over-permissiveness and recommend more secure authorization scopes
- Research win-win solutions to hard security problems and propose security hardening techniques
Technical Background Required:
- Broad knowledge of web-application weaknesses such as XSS/CSRF, cookie mishandling, 2FA issues, passive and active network attackers, misuse of cryptographic libraries, dangerous APIs, CORS
- Understanding of the goals and architecture of OAuth 2.0 and OIDC 1.0, including what problems they are intended to solve and what can go wrong when implementing
- Prior experience with pen test suites such as Burp Suite, Nessus, Metasploit, etc. and/or static analysis and code exploration tools
- Knowledge of public and private key cryptography and misuses, including standard systems and modes of operation: ECC, AES, RSA, PKI, padding oracle attacks, improper keying, hashing, RNGs, etc.
- Experience in security hardening and bug fixing including use of Content-Security-Policy, CSRF tokens, input sanitization, prepared statements, and least privilege authorization.
Qualifications:
- Typically requires 5+ years of related experience in a professional role with a Bachelor's degree; or 3+ years with a Master's degree; or a PhD; or equivalent experience
- (Preferred) Previous research experience with computer security, academic security publications, CVEs reported
Additional Information
Work Hours
Incumbent must make themselves available during core business hours.
Physical Requirements
This position will be performed in an office setting. The position will require the incumbent to sit and stand at a desk, communicate in person and by telephone, frequently operate standard office equipment, such as telephones and computers, and reach with hands and arms.
EEO Statement
Samsung is committed to encouraging a diverse workplace and proud to be an equal opportunity employer. As we highly value diversity in our current and future employees, we do not discriminate (including in our hiring and promotion practices) based on race, religion, color, national origin, gender, gender expression, sexual orientation, age, marital status, veteran status, disability status or any other characteristic protected by law.
If you have a disability or special need that requires accommodation, please let us know.
All your information will be kept confidential according to EEO guidelines.
Tags: AES APIs Application security Burp Suite Cryptography CSRF Hashing IAM Metasploit Nessus Network security Oracle OWASP Pentesting PhD PKI RSA Security assessment XSS
More jobs like this
Explore more InfoSec / Cybersecurity career opportunities
Find even more open roles in Ethical Hacking, Pen Testing, Security Engineering, Threat Research, Vulnerability Management, Cryptography, Digital Forensics and Cyber Security in general - ordered by popularity of job title or skills, toolset and products used - below.
- Open Staff Security Engineer jobs
- Open Information Security Specialist jobs
- Open Senior Security Analyst jobs
- Open Senior Cyber Security Engineer jobs
- Open Security Operations Engineer jobs
- Open Cyber Security Architect jobs
- Open Senior Information Security Analyst jobs
- Open Product Security Engineer jobs
- Open Consultant infrastructure sécurité H/F jobs
- Open Cyber Security Specialist jobs
- Open Cybersecurity Analyst jobs
- Open Principal Security Engineer jobs
- Open Cybersecurity Consultant jobs
- Open Consultant SOC / CERT H/F jobs
- Open Senior Information Security Engineer jobs
- Open Cybersecurity Specialist jobs
- Open IT Security Analyst jobs
- Open Security Specialist jobs
- Open Chief Information Security Officer jobs
- Open Security Researcher jobs
- Open Senior Penetration Tester jobs
- Open Senior Security Architect jobs
- Open Information Systems Security Officer (ISSO) jobs
- Open Senior Cyber Security Specialist jobs
- Open Information System Security Officer (ISSO) jobs
- Open Clearance-related jobs
- Open ISO 27001-related jobs
- Open Application security-related jobs
- Open Windows-related jobs
- Open Network security-related jobs
- Open Pentesting-related jobs
- Open CISM-related jobs
- Open GCP-related jobs
- Open Vulnerability management-related jobs
- Open Analytics-related jobs
- Open SaaS-related jobs
- Open IAM-related jobs
- Open CISA-related jobs
- Open Threat intelligence-related jobs
- Open Security assessment-related jobs
- Open DevOps-related jobs
- Open Java-related jobs
- Open Kubernetes-related jobs
- Open EDR-related jobs
- Open Malware-related jobs
- Open APIs-related jobs
- Open IDS-related jobs
- Open Security Clearance-related jobs
- Open CI/CD-related jobs
- Open DevSecOps-related jobs