Come join our offensive security team dedicated to the detection and exploitation of vulnerabilities affecting Amazon consumer devices. This includes performing low-level reviews of hardware, bootloaders, radios, secure enclaves, or OS security features of devices, service reviews including authentication mechanisms, AI, mobile, & web apps. Engineers are also encouraged to experiment with automated techniques, such as symbolic execution, fuzzing, machine learning, or static analysis.
In this role, you will be part of a dedicated team of talented security engineers performing penetration testing exercises to identify vulnerabilities. You will strive to understand systems, software, and services deeply and develop creative ways to break assumptions in order to find vulnerabilities. You care deeply about keeping Amazon customers safe and therefore are passionate about mitigating vulnerabilities/risks by providing actionable guidance to product teams and drive long term security improvements. You’re well-known for your excellent prioritization skills as well as your ability to communicate at all levels of an organization. If you’re passionate about finding security bugs, writing tools to reduce manual testing, and enjoy seeing your work’s impact across Amazon consumer products and services, then this position is for you. Candidates from entry to senior level will all be considered.
Key job responsibilities
* Perform penetration testing exercises across all products, services, and software released by Amazon Lab126 and develop proof of concept exploits.
* Perform vulnerability research using variety of custom tooling and technologies (e.g. symbolic execution, static analyzers, fuzzers, scanners, machine learning, etc).
* Create tools for the discovery of vulnerabilities as well as scale security testing.
* Review technical solutions to provide guidance to help mitigate security vulnerabilities as well as provide actionable long-term risk mitigation guidance to drive security improvements.
* Develop detailed technical documentation describing identified vulnerabilities, associated impact as well as recommendations for guidance for communication with internal engineering stakeholders as well as leadership.
A day in the life
* Perform pentests on yet-to-be-released devices or software ensuring it meets security requirements
* Perform code review of a driver for a new device being launched to our customers
* Write proof-of-concept code to demonstrate the impact of a security issue
* Raise the security bar of vendor-provided hardware (such as whether there are security flaws in its boot process, etc.)
* Verify the code fixes made to address security issues
* Develop scripts or tools to automate assessments of targets
* Conduct independent vulnerability research on launched products or dependencies
We are open to hiring candidates to work out of one of the following locations:
Clichy, FRA
BASIC QUALIFICATIONS
5+ years of experience in a penetration testing or similar offensive security role
5+ years of professional experience with security engineering practices, including: web application security, network security, authentication and authorization protocols, cryptography, automation, and other software security disciplines
4+ years of experience with code auditing interpreted or compiled languages (e.g. C/C++, Java, Python, Ruby, .NET)
Experience with threat modeling, design review, or other threat analysis techniques
Bachelor’s degree in Computer Science or related field, or equivalent industry experience
PREFERRED QUALIFICATIONS
Experience with testing low level firmware and hardware
Experience with applying and assessing Machine Learning technologies
Knowledge of cloud service providers and their offerings, preferably AWS, and its various technologies and services
Experience in various security domains (e.g. system and network security, authentication and security protocols, cryptography, application security, incident response)
Experience in developing security tooling and automation applying cutting edge technologies such as symbolic execution, code analysis, and fuzzing
Published security research (e.g. conference presentations, whitepapers, blog posts)
Amazon est un employeur engagé pour l’égalité des chances. Nous sommes convaincus qu’une main d’oeuvre diversifée est essentielle à notre réussite. Nous prenons nos décisions de recrutement en fonction de votre expérience et de vos compétences. Nous apprécions votre envie de découvrir, d’inventer, de simplifier et de construire. La protection de votre vie privée et la sécurité de vos données constituent depuis longtemps une priorité absolue pour Amazon. Veuillez consulter notre Politique de Confidentialité pour en savoir plus sur la façon dont nous collectons, utilisons et traitons les données personnelles de nos candidats.
Source ⇲