Senior Research Engineer
A Senior Security Research Engineer within the WhiteHat Security Detection Research organization is an experienced application security professional responsible for contributing to development, testing, and release of new scanner tests and functions as a subject matter expert in all aspects of their assigned application security testing technology.
Common responsibilities related to test development, testing, and release include:
- Conducting primary researchin the form of automated or manual inspection of sandbox and client applications to discover emerging patterns of technology usage, vulnerabilities, and security controls
- Leveraging existing test expression capabilitiesboth domain specific and custom code to improve detection capabilities by adding new tests and enhancing existing tests
- Monitoring existing test executions and outcomesto collect qualitative and quantitative data on test efficacy in order to identify bugs, defects, and needed enhancements.
- Validating, benchmarking, and stress testingexisting tests, test changes, and test additions
- Developing proof-of-concept enhancementsto test capabilities, documenting requirements, and creating capability specifications
In addition to the above responsibilities of a research engineer, senior responsibilities include:
- Maintaining standards for test efficacy, appropriate release processes, and communication. Including reviewing tests, documentation, and release notesauthored by associate and research engineers and providing feedback
- Driving projects, research, and development initiatives, that are larger than a single task or a single engineer, “epics”, in pursuit of the overall goal of industry leading detection
- Advancing the state of the art with respect to leveraging existing test capabilities more effectively and fostering deep understanding of the theoretical and practical limits of those capabilities
A bachelor’s degree in computer science or an information security related field, additional experience in software development and security testing will be considered in the absence of a bachelor’s degree.
This role is a career level research and engineering role that requires expertise in software development, application security testing, and prior experience with application security research.
Candidates for the senior position must be able to demonstrate a breadth of security research experience and speak to specific projects that leveraged their research in pursuit of detection technologies. Activities that qualify include development of new discovery and attack techniques, analysis of patterns of vulnerabilities across a portfolio of applications, evaluating detection technologies for capability and accuracy, and taxonomical classification of security flaws, controls, techniques, practices, and methodologies.
Candidates with software development experience in Go and have the following foundational experience will be positioned for success:
Three years of application security testing experience which should include more than two of the following activities:
- Configuring, running, and validating the results of one or more foundational application security scanning technologies: DAST, SAST, or SCA
- Manual assessment of web, networked desktop, or mobile applications for security vulnerabilities using an end to end assessment methodology
- Manual code review using an industry recognize standard for vulnerabilities, security control presence, security control quality, and security by design
- Threat modeling, vulnerability management, and prioritization for mitigation and remediation
Two years of professional software development experience which should include a track record of technology development and delivery and the ability to demonstrate experience with:
- Go: Microservices, Modules, Testing
- At least one of the following or equivalent: Java, C#, Python, Ruby, Perl, C++
- Containerization technology: Docker and Kubernetes
- Microsoft Azure: DevOps Pipelines, Kubernetes Service, Container Registry
Additional relevant experience and skills:
- CI/CD: Jenkins, Travis, Bamboo, etc.
- Cloud platforms: AWS, GCP, Digital Ocean etc.
- Participation in bug bounty programs, responsible disclosure, credited CVEs, and CTFs
- Security certifications CEH, OSCP, OSWE, CASS, etc.
- Configuring, writing custom rules, running, and consuming results for AST scanning tools, open source and commercial
Please apply via the careers page on the company website