Sr. Penetration Testing Engineer, InfraSec-A&T
New York City, USA
Amazon.com
Free shipping on millions of items. Get the best of Shopping and Entertainment with Prime. Enjoy low prices and great deals on the largest selection of everyday essentials and other products, including fashion, home, beauty, electronics, Alexa...Do you enjoy reading source code to find security issues? Do you enjoy writing proof-of-concept code to demonstrate the risk of an issue? Do you enjoy diving into black-boxes and finding security issues in them? The Infrastructure Security - AppSec & Testing (InfraSec-A&T) team does just that for the global AWS infrastructure.
Our team is responsible for the manual penetration assessments of all network devices, products, services, software and firmware released by infrastructure product teams. We specialize in digging deep to find security issues that static analyzers can’t, and write tooling and code to identify such issues at scale. The AWS infrastructure is foundational to all AWS services, so if you love working below the HTTP APIs on network layers, firmware level or operating system internals, this role could be a great fit.
On this team you will be reading and manually reviewing source code in C, C++, Java, go-lang, Python, JavaScript, Rust, and other languages to look for security bugs. At times, you may not have the source code and would need to test black boxes for security issues. You’ll be writing proof-of-concept (PoC) code clearly demonstrating the impact of an issue. You will also be retesting and validating fixes to security issues discovered, as well as figuring out new ways to break the fixes themselves.
Key job responsibilities
· Manually audit the source code of infrastructure services and software authored in-house by Amazon
· Audit the security risk of various builds of vendor-provided hardware and software to find security flaws in it as a black-box
· Write proof-of-concept code to demonstrate the severity of a potential security issue
· Provide clear communication on security issues to developers and network engineers that help in understanding the issue and testing the fix
· Partner with AWS developers to drive improvement in application security as a result of security review engagements
· Provide actionable long term risk mitigation guidance
· Conduct independent vulnerability research pertinent to AWS infrastructural technologies
A day in the life
· Validate the security of a new device being introduced into the AWS data center
· Verify the code fixes made to address security issues
· Write proof-of-concept code to demonstrate the impact of a security issue
· Assess whether a publicly-disclosed issue is impacting AWS software or firmware components
· Ensure high security of vendor-provided hardware (such as whether there are security flaws in its boot process, etc.)
· Perform penetration tests on yet-to-be-released software ensuring it meets security requirements early-on during the development phases by collaborating with AWS engineers
About the team
Within AWS, the Infrastructure Security – AppSec & Testing (InfraSec-A&T) team is responsible for application security (threat modeling, shift-left security), fuzzing and penetration testing of AWS Infrastructure. InfraSec-A&T is part of the Infrastructure Security – Threat, Vulnerability, and Operations (InfraSec-TVO) organization responsible for threat intelligence, vulnerability management, security information and event management (SIEM), incident response, and overall security across the global AWS infrastructure.
We value work/life balance and plan well so we can be creative in our work as well as our lives.
We value inclusion and diversity because we know diversity brings in creativity.
Basic Qualifications
· A Bachelor’s degree in Computer Science, Cybersecurity, Customer Security, or equivalent professional experience can be used in lieu of a degree.
· Minimum of 8 years of experience in source code auditing, bug hunting or CTF experience.
· Minimum of 8 years of experience with manually auditing source code (One or more of: C, C++, Java, Python, JavaScript, Rust, C, others) to find security issues.
· Minimum of 8 years of experience scripting in Python or other equivalent interpreted languages.
· Minimum of 8 years of professional experience with security engineering practices such as in web application security, network security, authentication and authorization protocols, cryptography, automation and other software security disciplines.
Preferred Qualifications
· Experience with bug hunting, bug bounties, capture the flag, software development· Experience with finding security issues in networking software such as routers / switches / embedded software
· Experience with multiple programming languages
· Meets/exceeds Amazon’s leadership principles requirements for this role
· Meets/exceeds Amazon’s functional/technical depth and complexity for this role
#InfraSec
Amazon is committed to a diverse and inclusive workplace. Amazon is an equal opportunity employer and does not discriminate on the basis of race, national origin, gender, gender identity, sexual orientation, protected veteran status, disability, age, or other legally protected status. For individuals with disabilities who would like to request an accommodation, please visit https://www.amazon.jobs/en/disability/us.
* Salary range is an estimate based on our InfoSec / Cybersecurity Salary Index 💰
Tags: APIs Application security Audits Automation AWS C Computer Science Cryptography CTF Incident response Java JavaScript Network security Pentesting Python Rust Scripting SIEM Threat intelligence Vulnerability management
More jobs like this
Explore more InfoSec / Cybersecurity career opportunities
Find even more open roles in Ethical Hacking, Pen Testing, Security Engineering, Threat Research, Vulnerability Management, Cryptography, Digital Forensics and Cyber Security in general - ordered by popularity of job title or skills, toolset and products used - below.
- Open Information Security Specialist jobs
- Open Ethical hacker / Pentester H/F jobs
- Open Senior Cyber Security Engineer jobs
- Open Principal Security Engineer jobs
- Open Manager Pentest H/F jobs
- Open Staff Security Engineer jobs
- Open Cyber Security Architect jobs
- Open Product Security Engineer jobs
- Open Senior Information Security Analyst jobs
- Open Cyber Security Specialist jobs
- Open Information Systems Security Officer (ISSO) jobs
- Open Cybersecurity Analyst jobs
- Open Consultant infrastructure sécurité H/F jobs
- Open Chief Information Security Officer jobs
- Open IT Security Analyst jobs
- Open Cybersecurity Consultant jobs
- Open Consultant SOC / CERT H/F jobs
- Open Senior Information Security Engineer jobs
- Open Security Specialist jobs
- Open Senior Penetration Tester jobs
- Open Security Researcher jobs
- Open Cybersecurity Specialist jobs
- Open Senior Security Architect jobs
- Open Sr. Security Engineer jobs
- Open IT Security Engineer jobs
- Open CISM-related jobs
- Open Windows-related jobs
- Open Network security-related jobs
- Open ISO 27001-related jobs
- Open Pentesting-related jobs
- Open Application security-related jobs
- Open Agile-related jobs
- Open GCP-related jobs
- Open Vulnerability management-related jobs
- Open SaaS-related jobs
- Open CISA-related jobs
- Open Analytics-related jobs
- Open Threat intelligence-related jobs
- Open IAM-related jobs
- Open APIs-related jobs
- Open Java-related jobs
- Open Security assessment-related jobs
- Open Malware-related jobs
- Open DevOps-related jobs
- Open Security Clearance-related jobs
- Open IDS-related jobs
- Open EDR-related jobs
- Open CEH-related jobs
- Open Forensics-related jobs
- Open Kubernetes-related jobs