Sr. Penetration Testing Engineer, InfraSec-A&T

Job summary
Do you enjoy reading source code to find security issues? Do you enjoy writing proof-of-concept code to demonstrate the risk of an issue? Do you enjoy diving into black-boxes and finding security issues in them? The Infrastructure Security - AppSec & Testing (InfraSec-A&T) team does just that for the global AWS infrastructure.

Our team is responsible for the manual penetration assessments of all network devices, products, services, software and firmware released by infrastructure product teams. We specialize in digging deep to find security issues that static analyzers can’t, and write tooling and code to identify such issues at scale. The AWS infrastructure is foundational to all AWS services, so if you love working below the HTTP APIs on network layers, firmware level or operating system internals, this role could be a great fit.

On this team you will be reading and manually reviewing source code in C, C++, Java, go-lang, Python, JavaScript, Rust, and other languages to look for security bugs. At times, you may not have the source code and would need to test black boxes for security issues. You’ll be writing proof-of-concept (PoC) code clearly demonstrating the impact of an issue. You will also be retesting and validating fixes to security issues discovered, as well as figuring out new ways to break the fixes themselves.


Key job responsibilities
· Manually audit the source code of infrastructure services and software authored in-house by Amazon
· Audit the security risk of various builds of vendor-provided hardware and software to find security flaws in it as a black-box
· Write proof-of-concept code to demonstrate the severity of a potential security issue
· Provide clear communication on security issues to developers and network engineers that help in understanding the issue and testing the fix
· Partner with AWS developers to drive improvement in application security as a result of security review engagements
· Provide actionable long term risk mitigation guidance
· Conduct independent vulnerability research pertinent to AWS infrastructural technologies


A day in the life
· Validate the security of a new device being introduced into the AWS data center
· Verify the code fixes made to address security issues
· Write proof-of-concept code to demonstrate the impact of a security issue
· Assess whether a publicly-disclosed issue is impacting AWS software or firmware components
· Ensure high security of vendor-provided hardware (such as whether there are security flaws in its boot process, etc.)
· Perform penetration tests on yet-to-be-released software ensuring it meets security requirements early-on during the development phases by collaborating with AWS engineers

About the team
Within AWS, the Infrastructure Security – AppSec & Testing (InfraSec-A&T) team is responsible for application security (threat modeling, shift-left security), fuzzing and penetration testing of AWS Infrastructure. InfraSec-A&T is part of the Infrastructure Security – Threat, Vulnerability, and Operations (InfraSec-TVO) organization responsible for threat intelligence, vulnerability management, security information and event management (SIEM), incident response, and overall security across the global AWS infrastructure.
We value work/life balance and plan well so we can be creative in our work as well as our lives.
We value inclusion and diversity because we know diversity brings in creativity.

Basic Qualifications

· A Bachelor’s degree in Computer Science, Cybersecurity, Customer Security, or equivalent professional experience can be used in lieu of a degree.
· Minimum of 8 years of experience in source code auditing, bug hunting or CTF experience.
· Minimum of 8 years of experience with manually auditing source code (One or more of: C, C++, Java, Python, JavaScript, Rust, C, others) to find security issues.
· Minimum of 8 years of experience scripting in Python or other equivalent interpreted languages.
· Minimum of 8 years of professional experience with security engineering practices such as in web application security, network security, authentication and authorization protocols, cryptography, automation and other software security disciplines.

Preferred Qualifications

· Experience with bug hunting, bug bounties, capture the flag, software development
· Experience with finding security issues in networking software such as routers / switches / embedded software
· Experience with multiple programming languages
· Meets/exceeds Amazon’s leadership principles requirements for this role
· Meets/exceeds Amazon’s functional/technical depth and complexity for this role

#InfraSec



Amazon is committed to a diverse and inclusive workplace. Amazon is an equal opportunity employer and does not discriminate on the basis of race, national origin, gender, gender identity, sexual orientation, protected veteran status, disability, age, or other legally protected status. For individuals with disabilities who would like to request an accommodation, please visit https://www.amazon.jobs/en/disability/us.