Software Security Engineer

Founded in 2014 in London, United Kingdom, Garrison has raised more than $50m to date from London investors including Dawn Capital, IP Group, NM Capital and BGF. Garrison’s strengths lie in its experienced and dedicated teams, building on years of expertise in cyber security to bring genuinely game changing technology to the industry.

Garrison is working to build the future of cyber security and is already deploying at scale in both the government and commercial space. Our existing customers are large organisations averaging over 50,000 employees each, across sectors including banking, insurance, media, telco, law and government.

Our working culture

We are an exciting start-up with ground-breaking technology; a very serious mission to solve real world problems, but with a positive and highly inclusive atmosphere, and an excellent work/life balance!

At Garrison we celebrate diversity and inclusion, and we’re focused on continuously improving equality for the benefit of our employees, products and community. We recruit, develop and retain talent purely on the basis of qualifications, merit and business needs.

We are proud to be an equal opportunity employer and we take every possible step to ensure that every person employed or seeking employment with us receives fair treatment. No-one shall be disadvantaged on the grounds of age, disability, gender, ethnicity, religion or belief, sexual orientation, marital and parental status, neurodiversity, social background, physical ability, illness or otherwise.

Our employee benefits package is as follows:

• 25 days holiday allowance per year (with the opportunity to purchase more)
• Company pension scheme of 8% base salary (depending on minimum contribution)
• Personal annual training budget
• Share options
• Perkbox discounts
• Life assurance and critical illness cover
• Employee Assistance Programme
• Enhanced parental leave
• Income protection
• Cycle to work scheme
• Interest-free season ticket loans
• Flexible working hours and working from home options
• Daily fruit, snacks and drinks in our offices
• Regular socials – such as games and quiz nights, picnics, theatre, and lots more

Overview of the role

As a Software Security Engineer at Garrison, you will be responsible for the definition, application and assurance of software security across our solution. You will work with our existing software development teams at each stage of the development lifecycle to define appropriate security requirements, review designs and implementations against those requirements and develop and execute appropriate security testing for each release.

Your role will also include assessing and triaging vulnerabilities in 3rd party software included in our solution throughout the product lifecycle and supporting the development of security advisories and software updates where required.

Whilst hardware-based security is at the core of our products and our cloud service, we also incorporate a range of commercial and 3rd party (open source) software to deliver our remote browsing and cross-domain solutions. Our technology stack spans embedded software development, distributed systems software, customised AOSP and Chromium builds, desktop and mobile applications, web applications (front end and REST API-based back-end) and Amazon Web Services.

You will be comfortable working with a range of different technologies, understanding complex distributed system behaviour and assessing code and potential vulnerabilities in multiple platforms. Initially this role will focus on embedded software (Linux kernel and embedded Linux application software) but we expect it to grow over time to cover our full technology stack.

This exciting opportunity will involve collaborating with a diverse engineering team and working across a wide range of technologies. We are looking for someone to join the team who can focus on software security, maintain our high standards and enable developers to produce high quality software with security built into the development lifecycle.

This is a hands-on role, requiring a mix of code review and testing alongside an understanding of the threat landscape and common software vulnerabilities. It would particularly suit someone with a development background who increasingly wants to focus on software security or a security manager or tester who wants to extend their expertise further into the software development lifecycle.

We will work with you to develop your knowledge and expertise across all the technologies and languages we use. A flexible approach, and the ability to work closely with developers across multiple technologies is more important than specialist knowledge in any one technical area.

Key responsibilities

• Definition of security requirements for all our software products and solutions based on standards, best practice and a knowledge of the threat environment
• Working with development teams to create and review designs and implementations (source code and test) against defined security requirements and secure coding standards
• Working with development teams to ensure use of appropriate tools, toolchain configuration and development environments to support secure development objectives
• Definition and execution of security tests and analysis tools against all components of our solution covering both requirements compliance and exploratory testing
• Conducting research on potential attack vectors and vulnerabilities and ensuring that our processes and people are kept up to date with the threat environment
• Reviewing disclosed vulnerabilities open source software used in the Garrison solution, analysing risk and providing recommendations on remediation and disclosure

Skills and experience

You’ll be perfect for the role if you have the following experience/skills:

• Defining secure development policies and requirements and embedding them in the development lifecycle
• Understanding and translating best practice into software requirements and development tasks for developers
• Reviewing code in one or more languages to assess and identify potential security issues in the implementation
• Knowledge of Linux kernel and embedded software security, triaging and assessing patches for kernel and user space software vulnerabilities
• Defining and executing security-focused test strategies, including developing manual and automated tests of the security properties of a system
• Reviewing and triaging vulnerabilities in 3rd party software, providing a risk-based assessment and recommendations for remediation

It would be useful if you’re familiar with:

• Linux kernel security, common vulnerabilities and patching
• Secure development practices and standards in C, C++ and Python
• Published standards and best practice guidelines from relevant authorities (e.g. OWASP, NIST)
• Network security and the use of PKI and TLS to secure communications
• Security-related testing and test automation in CI/CD environments
• Web server and REST API security